Bug #8304
closed
pfSense locks up when Android device connects to L2TP/IPsec VPN that uses forces SHA-256 in phase 2
0%
Description
Discovered this by trying to follow this tutorial and messing with the encryption settings.
[[https://doc.pfsense.org/index.php/L2TP/IPsec]]
It seems to be a very weird edge case where if I try to connect with my Android phone to the L2TP/IPsec VPN with only SHA-256 hashing enabled in phase 2, pfSense will lock up, spam errors to console, and get killed by the watchdog. I haven't encountered this crash before, and the crash doesn't happen with any other hash algorithms.
I'm running pfSense 2.4.2-RELEASE-p1 which has StrongSwan 5.6.0. I'm trying to connect from a phone running Android 7.0, security update December 1, 2017.
When I connect from my laptop running StrongSwan 5.6.1, the connection works fine.
The logs seem to get eaten during the crash, but I did upload the web configurator "crash report" about 20 minutes ago, and I've attached screenshots of my config. I've also attached a log from connecting with the same device, but using SHA-512 for phase 2, which doesn't crash pfSense.
Files
| ipsec-mobile clients.png (83.7 KB) ipsec-mobile clients.png | |||
| ipsec-phase 1.png (117 KB) ipsec-phase 1.png | |||
| ipsec-phase 2.png (74.4 KB) ipsec-phase 2.png | |||
| ipsec-tunnels.png (36.8 KB) ipsec-tunnels.png | |||
| sha512.log (31.8 KB) sha512.log | |||
| l2tp.PNG (70.8 KB) l2tp.PNG |
Updated by Justin Lex over 7 years ago
I noticed I wasn't 100% clear on the conditions: The Android connection works just fine if I set for MD5 or SHA1 hashing in phase 2, but it fails if I use SHA-384 or SHA-512, and it crashes pfSense if I use SHA-256.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
Is there a forum thread or reddit post with more detail? There isn't anything that stands out in what you have posted so far.
In order to track down the crash report we need to know the IPv4 and/or IPv6 address of your system, or at least enough of the prefix to find it on the server (usually the first 2-3 sections of the IPv4 or IPv6 address is enough, when combined with the time).
It could be that the additional hashing is triggering a hardware issue in your case, but without seeing the report it's tough to speculate about a cause. We prefer to see these issues discussed on the forum or on the pfSense subreddit first, so by the time it makes it to a ticket we have more supporting evidence that there is an actual bug at work and not something specific to your hardware or environment.
Updated by Justin Lex over 7 years ago
Ah, I see. I'm a bit new to bug reporting.
My WAN IP was 158.174.30.59.
I didn't make a Reddit post or anything because it stood out pretty clearly as some sort of bug (and possibly a DOS vuln), and it had an easy workaround for my use-case. But yeah, I've never had that sort of crash on this hardware, and it only happens with a very specific configuration (longer hashes don't even trigger it), so it was unlikely to be a hardware issue.
Anyways, I'll go ahead and make a forum post though, so I can come back with more information about what's happening.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Not a Bug
The two crash reports in the submission from that IP address are different and at very low levels of code in the operating system where there are unlikely to be bugs.
It's possible you have some other hardware issue that is manifesting itself only in that specific configuration or load, but I'm not seeing anything that looks like a bug as described.
If the discussion on the forum turns up anything more concrete this can be reopened or a new issue can be created instead.