Feature #9726
closed
Hash Algorithm configured on child ESP/AH proposals using AES GCM though strongswan strips them
100%
Description
One might want to allow transform sets on a Phase 2 like this:
AES128/192/256-CBC with SHA256
AES128-GCM with no AH
There is currently no way to do that because the AH will be set to be required for the GCM transforms as well as the CBC.
Strongswan, however, seems to do the "right thing" here...
Given this (AH required on all GCM transform sets):
Sep 4 18:56:57 charon 05[CFG] esp=
aes256-sha1-modp2048,
aes256-sha256-modp2048,
aes192-sha1-modp2048,
aes192-sha256-modp2048,
aes128-sha1-modp2048,
aes128-sha256-modp2048,
aes128gcm128-sha1-modp2048,
aes128gcm128-sha256-modp2048,
aes128gcm96-sha1-modp2048,
aes128gcm96-sha256-modp2048,
aes128gcm64-sha1-modp2048,
aes128gcm64-sha256-modp2048,
aes128-sha256-modp2048,
aes128gcm128-sha256-modp2048!
Strongswan does this (No AH on the GCM transforms):
Sep 4 18:56:58 charon 12[CFG] <con2000|1> configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_12_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_12_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_8_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_8_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ
It would probably be best for pfSense to be adjusted to do this (strip any configured AH from all GCM transform sets) and not be dependent on strongswan to do that. Seems the configuration should match what is actually put out on the wire.
Maybe another note under the AH checkboxes saying something like "No Hash Algorithms will be applied to authenticated ciphers such as AES GCM."
Related issues
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to New
I reverted this commit. It broke some tunnels:
GUI has:- Algo: AES128-GCM
- Key Length: 128 bit
- Hash: AES-XCBC
- DH Group: 32
With this change applied, it does not load:
proposals = aes128gcm128-curve448
loading connection 'con1000' failed: invalid value for: proposals, config discarded
Without this change applied, it loads and connects:
proposals = aes128gcm128-aesxcbc-curve448
Updated by Viktor Gurov over 4 years ago
Jim Pingle wrote:
I reverted this commit. It broke some tunnels:
GUI has:
- Algo: AES128-GCM
- Key Length: 128 bit
- Hash: AES-XCBC
- DH Group: 32
With this change applied, it does not load:
[...]
[...]Without this change applied, it loads and connects:
[...]
if we do not specify hash it uses some default Hash/PRF value (sha256?)
If no PRF is configured, the algorithms defined for integrity are proposed as PRF.
see https://wiki.strongswan.org/projects/strongswan/wiki/Connsection:
Updated by Jim Pingle over 4 years ago
strongSwan won't load the connection with a valid selection of options with the change applied, so it apparently doesn't assume a default. The change does not work as it should. Something is missing. We can't suddenly break working connections with valid combinations of options.
Also the code for PRF is still in a pending PR, so there is no way yet to select a PRF.
All that said, this issue originally is for Phase 2 proposal entries, and the linked PR that I reverted altered the IKE (Phase 1) proposal and not the ESP/AH (Phase 2) proposals (esp_proposals / ah_proposals)
Updated by Viktor Gurov over 4 years ago
right,
fixed, phase 2 strip PR:
https://github.com/pfsense/pfsense/pull/4148
Updated by Jim Pingle over 4 years ago
- Subject changed from AH configured on AES GCM transform sets though strongswan strips them. to Hash Algorithm configured on child ESP/AH proposals using AES GCM though strongswan strips them
Updated subject to clarify some ambiguity in the original description.
Updated by Jim Pingle about 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
tested on 2.5.0.a.20200220.1948
This small fix is still needed for cases where both AEAD and non-AEAD ciphers are selected at the same time:
https://github.com/pfsense/pfsense/pull/4198
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20200221.1911
now works as expected in all cases
Updated by Viktor Gurov over 2 years ago
- Related to Regression #12324: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode added