https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-05-17T08:16:04ZpfSense bugtrackerpfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406702019-05-17T08:16:04ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406712019-05-17T10:04:32ZJim Pingle
<ul></ul><p>Group 31 (curve25519) works. Group 32 (curve448) does not. Appears to be a strongSwan issue, I raised a bug report upstream: <a class="external" href="https://wiki.strongswan.org/issues/3064">https://wiki.strongswan.org/issues/3064</a></p>
<p>Commit coming shortly which enables the curve25519 plugin and group 31.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406722019-05-17T10:15:18ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Add RFC 8031 Group 31 to IPsec. Implements #9531" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/4fc267484e604509b072b398642f19cb6797ef21">4fc267484e604509b072b398642f19cb6797ef21</a>.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406732019-05-17T10:27:13ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul><p>That was quick. Fix is in upstream: <a class="external" href="https://wiki.strongswan.org/projects/strongswan/repository/revisions/97708f7ff7571a159ca9a3d03804ffc506469449/diff">https://wiki.strongswan.org/projects/strongswan/repository/revisions/97708f7ff7571a159ca9a3d03804ffc506469449/diff</a></p>
<p>Will test with that after 2.4.4-p3 ships and we have 2.5.0 snapshots going again.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406802019-05-17T15:08:17ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Looks good on the current snapshot with group 31 and 32</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406812019-05-17T15:28:54ZJens Groh
<ul></ul><p>Just curious: would the changeset be appliable to 2.4.4-p3 when released?</p>
<p>I have a current customer that would like to upgrade his IPSEC tunnel to curve 25519 so an appliable patch via System Patches would be fine as an interim solution ;)</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406822019-05-17T15:31:41ZJim Pingle
<ul></ul><p>Jens Groh wrote:</p>
<blockquote>
<p>Just curious: would the changeset be appliable to 2.4.4-p3 when released?</p>
</blockquote>
<p>The first patch to add group 31 might, but the 32 would not since it requires a patch to strongSwan. I only tested on 2.5.0.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406832019-05-17T15:37:40ZJens Groh
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>The first patch to add group 31 might, but the 32 would not since it requires a patch to strongSwan. I only tested on 2.5.0.</p>
</blockquote>
<p>Not trying to add complexity to this. But a patch for DH31 capability I'd take for sure ;)</p>
<p>As german BSI recommends using elliptic curve ciphers like 25519-based, brainpool or secpxxxRy that would help against people using bad/old/unsafe cipher suites and settings (had to shout one down recently that tried to sneak a 3DES one in).</p>
<p>But really appreciate the fast response on that on in general! Thanks a lot!</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406842019-05-17T15:46:56ZJim Pingle
<ul></ul><p>The first patch above, <a class="changeset" title="Add RFC 8031 Group 31 to IPsec. Implements #9531" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/4fc267484e604509b072b398642f19cb6797ef21">4fc267484e604509b072b398642f19cb6797ef21</a>, applies cleanly to 2.4.4-p2 and 2.4.4-p3 and adds only group 31. I didn't test it, but the libstrongswan curve25519 plugin is there, so it should work.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=406852019-05-17T16:02:30ZJens Groh
<ul></ul><p>Alright will test within our lab setup and try it with the customer if that works. Will report back!</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=409482019-07-03T08:03:00ZJens Groh
<ul></ul><p>Just as feedback: we had the first two tunnels set up with EC25519 / DH31 as Phase1 (and in one case Phase2, too) and as of yet all is well an normal as expected. :)</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=421342019-08-26T13:21:08ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=432162019-12-04T09:38:51ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Feedback</i></li><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>2.4.5</i></li></ul><p>I picked back the Group 31 change only to 2.4.5 to test since it was reported to function. If it works, re-target this back to 2.5.0 and close it again since it's already been tested there.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=432182019-12-04T10:06:56ZJens Groh
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>I picked back the Group 31 change only to 2.4.5 to test since it was reported to function. If it works, re-target this back to 2.5.0 and close it again since it's already been tested there.</p>
</blockquote>
<p>Don't know if that helps but as stated above, I'm running the DH31 changeset added through patches system in 2.4.4-p3 without a hitch with 3 IPSEC peers smoothly for months now and don't expect any issues.</p> pfSense - Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)https://redmine.pfsense.org/issues/9531?journal_id=434612019-12-17T13:45:58ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li><li><strong>Target version</strong> changed from <i>2.4.5</i> to <i>2.5.0</i></li></ul><p>Group 31 can be selected and works when chosen on 2.4.5.</p>
<p>2.4.5.a.20191217.0637</p>