Feature #9309
closed
Allow manual selection of IPsec IKE Pseudo-Random Function (PRF)
0%
Description
If you want to use AES-GCM, you don't need an integrity algorithm, but you do need a pseudo random function.
See https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites :
If combined-mode (AEAD) ciphers are proposed there won't be any integrity algorithms from which to derive PRFs, so in such a proposal PRF algorithms have to be configured explicitly.
Also, please see the comment of Joel Schulze regarding phase one proposals in https://wiki.strongswan.org/issues/2808
Problem: When I configure a "Phase 1 Proposal (Encryption Algorithm)" of
- Algorithm: AES256-GCM
- Keylength: 128 bits
- Hash: SHA256
- DH-Group: 21
Then, the line `ike = aes256gcm128-sha256-ecp521!` will be created in ipsec.conf.
However, the correct value would be `ike = aes256gcm128-prfsha256-ecp521!`
(Note that sha256 is a hash function and prfsha256 is a pseudo-random-function.)
Proposal:
- Rename the label of the dropdown "Hash" to "Hash/PRF" (the values of the dropdown can fortunately stay the same)
- When a AES-GCM algorithm is selected, interpret the value in this field as PRF and therefore add the correct value as described in
"Pseudo-random Functions" of https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites .
(Basically, use the same string, but with a "prf" prefix.)
Files
| Screenshot from 2019-11-09 14-58-03.png (125 KB) Screenshot from 2019-11-09 14-58-03.png | WebGUI screenshot |
Updated by Jim Pingle about 5 years ago
That's what AES-XCBC is for:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html
This could be handled better, but the correct choice is documented.
Updated by Florian K. about 5 years ago
Thanks Jim for pointing out the documentation - but the documentation does not match the implementation:
The documentation says:
When using AES-GCM, this is used solely as a PRF because AES-GCM already performs hashing internally.
That would be the correct behavior. However, pfSense behaves differently. As I wrote above, it does NOT use "prfsha256" (as it should and as it is documented). It uses "sha256" which is wrong (see the strongswan docs and the comment of Joel Schulze.)
Maybe AES-XCBC is a good choice - but if the client does not support it, it would be good to be able to use prfsha256 (or one of the other PRFs.)
Updated by Jim Pingle over 4 years ago
- Tracker changed from Bug to Feature
- Subject changed from Configuration AES-GCM for IKEv2 phase 1 does not work to Allow manual selection of IPsec IKE Pseudo-Random Function (PRF)
- Affected Version deleted (
2.4.4_2)
Adding another selector to set the prf (with an option to automatically assume it based on Hash choice) seems best, but that's a new feature, not a bug.
Updated by Viktor Gurov over 4 years ago
Jim Pingle wrote:
Adding another selector to set the prf (with an option to automatically assume it based on Hash choice) seems best, but that's a new feature, not a bug.
Without this feature, pfSense can't connect to host whose proposal PRF != Integrity.
IOS for example:
crypto ikev2 proposal PROP1
encryption aes-cbc-256
prf md5
integrity sha384
group 14
Updated by Viktor Gurov over 4 years ago
Currently manual selection of PRF supported by:
Cisco IOS/IOS-XE/ASA, Huawei routers/firewalls and Google CloudVPN
Most of other vendors (CheckPoint, Palo Alto, Mikrotik, Sophos) doesn't support this feature
Updated by Viktor Gurov over 4 years ago
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.5.0
Pull request has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200207.2007
Updated by Viktor Gurov about 4 years ago
- Status changed from Resolved to Feedback
If no IPsec PH2 hashes selected (i.e. AES-GCM) after pressing 'apply' you got:
Fatal error: Uncaught ArgumentCountError: Too few arguments to function ipsec_setup_proposal_algo(), 4 passed in /etc/inc/ipsec.inc on line 1922 and exactly 5 expected in /etc/inc/ipsec.inc:1862
This PR fix this issue:
https://github.com/pfsense/pfsense/pull/4188
Updated by Renato Botelho about 4 years ago
Viktor Gurov wrote:
If no IPsec PH2 hashes selected (i.e. AES-GCM) after pressing 'apply' you got:
[...]This PR fix this issue:
https://github.com/pfsense/pfsense/pull/4188
PR merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200211.1811