Project

General

Profile

Bug #9993

invalid cipher specified in ipsec config

Added by Florin Samareanu over 1 year ago. Updated over 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
12/22/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

Seems something broke in latest 2.5.0 dev. Configuring ipsec p1 using aes-128-gcm and xcbc leads to this:

Dec 22 16:49:10 fra-pfSense charon96983: 09[CFG] added vici connection: bypass
Dec 22 16:49:10 fra-pfSense charon96983: 09[CFG] installing 'bypass'
Dec 22 16:49:10 fra-pfSense charon96983: 15[CFG] vici client 25 requests: load-conn
Dec 22 16:49:10 fra-pfSense charon96983: 15[CFG] conn con1000:
Dec 22 16:49:10 fra-pfSense charon96983: 15[CFG] algorithm 'aes128gcm' not recognized
Dec 22 16:49:10 fra-pfSense charon96983: 09[CFG] vici client 25 disconnected

and this:

[2.5.0-DEVELOPMENT][root@fra-pfSense]/usr/local/etc/swanctl/conf.d: swanctl --list-conns
bypass: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: 127.0.0.1
local unspecified authentication:
remote unspecified authentication:
bypass: PASS, no rekeying
local: 10.9.0.34/32|/0
remote: 10.9.0.34/32|/0

Switching to aes seems to fix it:

[2.5.0-DEVELOPMENT][root@fra-pfSense]/usr/local/etc/swanctl/conf.d: swanctl --list-conns
bypass: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: 127.0.0.1
local unspecified authentication:
remote unspecified authentication:
bypass: PASS, no rekeying
local: 10.9.0.34/32|/0
remote: 10.9.0.34/32|/0
con1000: IKEv2, no reauthentication, no rekeying
local: [redacted]
remote: [redacted]
local public key authentication:
id: [redacted]
certs: CN=[redacted]
remote public key authentication:
cacerts: CN=ipsec-ca
con1000: TUNNEL, rekeying every 3600s
local: 0.0.0.0/0|/0
remote: 0.0.0.0/0|/0

There is also a duplicate p1 proposal (see attachment) and neither allows selection of a key strength (so you're stuck to 128 bits).

proposal.png (43 KB) proposal.png Florin Samareanu, 12/22/2019 06:56 AM

History

#1 Updated by Florin Samareanu over 1 year ago

What seems to fix it is toggling between ciphers (switch to aes in both duplicated tabs, save,edit again, select initial value for the cipher - aes-128-gcm). All tests were done without any browser caching (had dev tools open with no cache option checked).

#2 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

Can you check what changed in your config.xml between the non-working and working configuration?

And can you possibly roll back to the "bad" config, and get /var/etc/ipsec/swanctl.conf and then go back to the fixed version and get the same file, to see what changed in the resulting configuration.

#3 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Duplicate
  • Assignee deleted (Jim Pingle)
  • Target version deleted (2.5.0)

This is actually a symptom of the change in #9726 which has since been corrected.

Also available in: Atom PDF