Messages

1

19.1 Legacy Series / Re: Issues with IPSEC and Diffie Hellman Groups on 19.1

« on: January 03, 2019, 06:32:19 am »

i hadnt updated the image as i went on vaca but that would prob be the next step i do believe that the issue is related to the strongswan version being older and that its causing an incompatibility with openssl that triggered the issue.

My tests were New installs via the ISO with 0 updates IIR it said it was 19.1 Version D that i had issues with

2

19.1 Legacy Series / Re: Issues with IPSEC and Diffie Hellman Groups on 19.1

« on: December 20, 2018, 06:01:55 am »

more info,

this is what i would have expected to see but because of the openssl error i am betting that is root cause, had to boot up an older pfsense box that i had to pull it but i would have expected to see the below and it confirms my suspicions  (PFSense 2.4.4 P1 is using strongSwan 5.7.1 (OpenSSL 1.0.2o-freebsd) and this OPNSense Build 19.1b is using strongSwan 5.6.3 (OpenSSL 1.0.2o-freebsd)) could be a bug from previous strongSwan version that could be affecting Openssl?

Hope this helps more.

DH Groups from PFsense 2.4.4 VM
dh:
  ECP_256[openssl]
  ECP_384[openssl]
  ECP_521[openssl]
  ECP_224[openssl]
  ECP_192[openssl]
  ECP_256_BP[openssl]
  ECP_384_BP[openssl]
  ECP_512_BP[openssl]
  ECP_224_BP[openssl]
  MODP_3072[openssl]
  MODP_4096[openssl]
  MODP_6144[openssl]
  MODP_8192[openssl]
  MODP_2048[openssl]
  MODP_2048_224[openssl]
  MODP_2048_256[openssl]
  MODP_1536[openssl]
  MODP_1024[openssl]
  MODP_1024_160[openssl]
  MODP_768[openssl]
  MODP_CUSTOM[openssl]
  CURVE_25519[curve25519]

3

19.1 Legacy Series / Re: 19.1 HardenedBSD on Denverton (C3558) installs fine

« on: December 19, 2018, 11:58:37 pm »

Outside of the IPSEC bug i reported in another post, i am also running on Denverton - A2SDi-4C-HLN4

I had tested with 18.x line and came up short with the Driver I/O issues, that do not happen in 19.1 -- Super Stoked!!

4

19.1 Legacy Series / Re: Issues with IPSEC and Diffie Hellman Groups on 19.1

« on: December 19, 2018, 11:42:24 pm »

Another piece of line with IPs XXX'ed Out

Dec 19 14:52:50 ragnarok charon: 15[KNL] creating acquire job for policy xxx.xxx.xxx.xxx/32 === xxx.xxx.xxx.xxx/32 with reqid {1}
Dec 19 14:52:50 ragnarok charon: 13[IKE] <con1|3> initiating IKE_SA con1[3] to xxx.xxx.xxx.xxx
Dec 19 14:52:50 ragnarok charon: 13[IKE] <con1|3> configured DH group MODP_2048 not supported
Dec 19 14:52:50 ragnarok charon: 13[MGR] <con1|3> tried to checkin and delete nonexisting IKE_SA

5

19.1 Legacy Series / Issues with IPSEC and Diffie Hellman Groups on 19.1

« on: December 19, 2018, 11:39:31 pm »

Hey All,

Testing out 19.1 and came across IPSEC Issues it doesnt seem that any of the DH codes are working when i  started to look deeper i found that its only supporting curve25519 which isnt even an option in the UI but also that there was an issue with OpenSSL failing to load which looks very similar to a freebsd issue from a while back (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212149)

root@ragnarok:/ # swanctl -g
plugin 'openssl' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-openssl.so: Undefined symbol "RSA_set0_factors"
encryption:
  AES_CBC[aes]
  3DES_CBC[des]
  DES_CBC[des]
  DES_ECB[des]
  BLOWFISH_CBC[blowfish]
  RC2_CBC[rc2]
integrity:
  AES_XCBC_96[xcbc]
  AES_CMAC_96[cmac]
  HMAC_SHA1_96[hmac]
  HMAC_SHA1_128[hmac]
  HMAC_SHA1_160[hmac]
  HMAC_MD5_96[hmac]
  HMAC_MD5_128[hmac]
  HMAC_SHA2_256_128[hmac]
  HMAC_SHA2_256_256[hmac]
  HMAC_SHA2_384_192[hmac]
  HMAC_SHA2_384_384[hmac]
  HMAC_SHA2_512_256[hmac]
  HMAC_SHA2_512_512[hmac]
aead:
  AES_GCM_8[gcm]
  AES_GCM_12[gcm]
  AES_GCM_16[gcm]
hasher:
  HASH_SHA1[sha1]
  HASH_SHA2_224[sha2]
  HASH_SHA2_256[sha2]
  HASH_SHA2_384[sha2]
  HASH_SHA2_512[sha2]
  HASH_MD4[md4]
  HASH_MD5[md5]
  HASH_IDENTITY[curve25519]
prf:
  PRF_KEYED_SHA1[sha1]
  PRF_FIPS_SHA1_160[fips-prf]
  PRF_AES128_XCBC[xcbc]
  PRF_AES128_CMAC[cmac]
  PRF_HMAC_SHA1[hmac]
  PRF_HMAC_MD5[hmac]
  PRF_HMAC_SHA2_256[hmac]
  PRF_HMAC_SHA2_384[hmac]
  PRF_HMAC_SHA2_512[hmac]
xof:
dh:
  CURVE_25519[curve25519]
rng:
  RNG_STRONG[random]
  RNG_TRUE[random]
nonce-gen:
  NONCE_GEN[nonce]