Project

General

Profile

Actions

Feature #9309

closed

Allow manual selection of IPsec IKE Pseudo-Random Function (PRF)

Added by Florian K. over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
02/07/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

If you want to use AES-GCM, you don't need an integrity algorithm, but you do need a pseudo random function.

See https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites :

If combined-mode (AEAD) ciphers are proposed there won't be any integrity algorithms from which to derive PRFs, so in such a proposal PRF algorithms have to be configured explicitly.

Also, please see the comment of Joel Schulze regarding phase one proposals in https://wiki.strongswan.org/issues/2808

Problem: When I configure a "Phase 1 Proposal (Encryption Algorithm)" of
- Algorithm: AES256-GCM
- Keylength: 128 bits
- Hash: SHA256
- DH-Group: 21

Then, the line `ike = aes256gcm128-sha256-ecp521!` will be created in ipsec.conf.
However, the correct value would be `ike = aes256gcm128-prfsha256-ecp521!`
(Note that sha256 is a hash function and prfsha256 is a pseudo-random-function.)

Proposal:
- Rename the label of the dropdown "Hash" to "Hash/PRF" (the values of the dropdown can fortunately stay the same)
- When a AES-GCM algorithm is selected, interpret the value in this field as PRF and therefore add the correct value as described in
"Pseudo-random Functions" of https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites .
(Basically, use the same string, but with a "prf" prefix.)


Files

Screenshot from 2019-11-09 14-58-03.png (125 KB) Screenshot from 2019-11-09 14-58-03.png WebGUI screenshot Viktor Gurov, 11/09/2019 06:00 AM
Actions #1

Updated by Jim Pingle over 5 years ago

That's what AES-XCBC is for:

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

This could be handled better, but the correct choice is documented.

Actions #2

Updated by Florian K. over 5 years ago

Thanks Jim for pointing out the documentation - but the documentation does not match the implementation:

The documentation says:

When using AES-GCM, this is used solely as a PRF because AES-GCM already performs hashing internally.

That would be the correct behavior. However, pfSense behaves differently. As I wrote above, it does NOT use "prfsha256" (as it should and as it is documented). It uses "sha256" which is wrong (see the strongswan docs and the comment of Joel Schulze.)

Maybe AES-XCBC is a good choice - but if the client does not support it, it would be good to be able to use prfsha256 (or one of the other PRFs.)

Actions #3

Updated by Jim Pingle about 5 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Configuration AES-GCM for IKEv2 phase 1 does not work to Allow manual selection of IPsec IKE Pseudo-Random Function (PRF)
  • Affected Version deleted (2.4.4_2)

Adding another selector to set the prf (with an option to automatically assume it based on Hash choice) seems best, but that's a new feature, not a bug.

Actions #4

Updated by Viktor Gurov about 5 years ago

Jim Pingle wrote:

Adding another selector to set the prf (with an option to automatically assume it based on Hash choice) seems best, but that's a new feature, not a bug.

Without this feature, pfSense can't connect to host whose proposal PRF != Integrity.

IOS for example:

crypto ikev2 proposal PROP1
encryption aes-cbc-256
prf md5
integrity sha384
group 14

Actions #5

Updated by Viktor Gurov about 5 years ago

Currently manual selection of PRF supported by:
Cisco IOS/IOS-XE/ASA, Huawei routers/firewalls and Google CloudVPN

Most of other vendors (CheckPoint, Palo Alto, Mikrotik, Sophos) doesn't support this feature

Actions #8

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Pull Request Review
Actions #9

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0

Pull request has been merged. Thanks!

Actions #10

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200207.2007

Actions #11

Updated by Viktor Gurov over 4 years ago

  • Status changed from Resolved to Feedback

If no IPsec PH2 hashes selected (i.e. AES-GCM) after pressing 'apply' you got:

Fatal error: Uncaught ArgumentCountError: Too few arguments to function ipsec_setup_proposal_algo(), 4 passed in /etc/inc/ipsec.inc on line 1922 and exactly 5 expected in /etc/inc/ipsec.inc:1862

see https://forum.netgate.com/topic/150353/ipsec-php-fatal-error-uncaught-argumentcounterror-too-few-arguments-to-function-ipsec_setup_proposal_algo-4-passed/2

This PR fix this issue:
https://github.com/pfsense/pfsense/pull/4188

Actions #12

Updated by Renato Botelho over 4 years ago

Viktor Gurov wrote:

If no IPsec PH2 hashes selected (i.e. AES-GCM) after pressing 'apply' you got:
[...]

see https://forum.netgate.com/topic/150353/ipsec-php-fatal-error-uncaught-argumentcounterror-too-few-arguments-to-function-ipsec_setup_proposal_algo-4-passed/2

This PR fix this issue:
https://github.com/pfsense/pfsense/pull/4188

PR merged. Thanks!

Actions #13

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200211.1811

Actions

Also available in: Atom PDF