Created attachment 233690 [details] Update to 5.9.6 Update StrongSwan to 5.9.6: - Changelog: https://github.com/strongswan/strongswan/releases/tag/5.9.6 - Add Option for KDF-Plugin (Default OFF)
Comment on attachment 233690 [details] Update to 5.9.6 I am happy with the update it can be applied
Thanks for you feedback :) Could someone commit this? Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b591672ecc5b85f42c3f9ebaed2d7acb0120ca9d commit b591672ecc5b85f42c3f9ebaed2d7acb0120ca9d Author: Dani I <i.dani@outlook.com> AuthorDate: 2022-05-09 22:22:49 +0000 Commit: Dries Michiels <driesm@FreeBSD.org> CommitDate: 2022-05-09 22:28:02 +0000 security/strongswan: Update to 5.9.6 Changes: https://github.com/strongswan/strongswan/releases/tag/5.9.6 PR: 263748 Approved by: Francois ten Krooden (maintainer) security/strongswan/Makefile | 6 ++++-- security/strongswan/distinfo | 6 +++--- security/strongswan/pkg-plist | 4 ++++ 3 files changed, 11 insertions(+), 5 deletions(-)
Committed! Dani if you want you can set your full name under settings to attribute your submissions in the git log for future commits.
Hi, There is a regression here with KDF that people report in a few places for both OPNsense and pfSense, e.g. https://forum.opnsense.org/index.php?topic=28654.0 2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> sending packet: from 10.0.0.1[500] to 10.0.0.100[42573] (36 bytes) 2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] 2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> key derivation failed 2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> KDF_PRF with PRF_UNDEFINED not supported 2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> remote host is behind NAT 2022-06-06T22:16:27-07:00 Informational charon 12[CFG] <2> selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_256 2022-06-06T22:16:27-07:00 Informational charon 12[IKE] <2> 10.0.0.100 is initiating an IKE_SA 2022-06-06T22:16:27-07:00 Informational charon 12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 2022-06-06T22:16:27-07:00 Informational charon 12[NET] <2> received packet: from 10.0.0.100[42573] to 10.0.0.1[500] (716 bytes) Not sure if the KDF default to off is at fault here or the 5.6.6 update but something is not quite right... Cheers, Franco
Thanks for the heads-up Franco! My ipsec setup continued to work after the update so its a bit harder for me to test. Could the persons that run against this bug try building with KDF on and see if that helps? Otherwise I would suggest to report upstream.
It's what we discussed internally as well: provide a KDF enabled version to see if that brings back the feature as it were or if we need to take this to StrongSwan directly. I'll report back in a day or two hopefully. :)
So enabling KDF seems to bring back the interoperability we had up to 5.9.5. For me it doesn't matter if KDF is on or off by default since we can adjust our builds, but still it would likely be beneficial to enable KDF by default to avoid the connection issues in FreeBSD by default as some people may already rely on them. There are 2 confirmations via https://forum.opnsense.org/index.php?topic=28654.0 Cheers, Franco
Francois, as the maintainer, are you OK enabling KDF? Although I could probably commit this as blanket approved as a run time fix.
(In reply to Dries Michiels from comment #9) Yeah I don't see a reason why we can't
Tobias Is there a change that would explain this behaviour on FreeBSD which I missed?
It's the same issue discussed here (XCBC, via the default-enabled xcbc plugin, requiring the kdf plugin, which is also default-enabled): https://github.com/strongswan/strongswan/issues/1026#issuecomment-1119440199 The next release will include two changes to avoid this: one demotes the XCBC and CMAC PRFs so HMACs are preferred, another force-enables the kdf plugin if a plugin is enabled that provides any of these PRFs.