Hi,
After updating to 23.7.7 I can no longer choose aes128gcm16-aesxcbc-modp2048 in new IPSEC Connections Proposals.
And I have some existing OPNsense to OPNsense tunnels where the Proposals now say Nothing selected.
Though the tunnels are up-and-running OK.
Investigating this now.
Cheers,
Franco
aes128gcm16-aesxcbc-modp2048
Cyphers with GCM already include a auth mech like md5, sha, aesxcbc, those values are useless.
According to strongswan "it depends":
https://users.strongswan.narkive.com/0YfEZ2CS/question-about-ike-aes256gcm16-aesxcbc-modp2048-in-ipsec-conf
I think we'd rather put back what we had offered before quickly and reassess this later in a proper data migration. PRF prefix-or-not and ESP/IKE modularity is a bit difficult to unwind on short notice.
Cheers,
Franco
This should bring the selected item back? https://github.com/opnsense/core/commit/cde83b0a0c
# opnsense-patch cde83b0a0c
Cheers,
Franco
Thank you.
Counting that as a "yes it does"? :)
It does work now :)
Ok, I'll proceed to hotfix this tomorrow just to avoid further irritation about it.
Cheers,
Franco
ok,
Is aes256-sha256-modp1024[DH2] / AES (256 bits) + SHA256 + DH Group 2 not an option with the new connection proposals. I'm having one IPSEC IKEv1 using it.
I think modp1024 is considered deprecated. Wasn't in 23.7.6 either, right?
Cheers,
Franco
ok, I have not tried to find it in IPSEC new connections before now. Only in legacy IPSEC. I'll update to DH14 I think.