Bug: IPSEC VPN - PRF_AES128_XCBC isn't working any more

[sunmast]

This looks like a regression.

I was using AES-XCBC as the hash algorithm in "VPN: IPsec: Tunnel Settings" to accommodate Android's default VPN client which only accepts SHA1 and AES-XCBC, and SHA1 isn't used due to security reasons.

It's also the preferred hash algorithm by strongSwan Android app and Windows default client.

After a recent update (can't remember which one) all VPN clients can't connect anymore because of error "KDF_PRF with PRF_UNDEFINED not supported" and "key derivation failed". Logs:

2022-06-06T22:16:27-07:00   Informational   charon   12[NET] <2> sending packet: from 10.0.0.1[500] to 10.0.0.100[42573] (36 bytes)   
2022-06-06T22:16:27-07:00   Informational   charon   12[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]   
2022-06-06T22:16:27-07:00   Informational   charon   12[IKE] <2> key derivation failed   
2022-06-06T22:16:27-07:00   Informational   charon   12[IKE] <2> KDF_PRF with PRF_UNDEFINED not supported   
2022-06-06T22:16:27-07:00   Informational   charon   12[IKE] <2> remote host is behind NAT   
2022-06-06T22:16:27-07:00   Informational   charon   12[CFG] <2> selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_256   
2022-06-06T22:16:27-07:00   Informational   charon   12[IKE] <2> 10.0.0.100 is initiating an IKE_SA   
2022-06-06T22:16:27-07:00   Informational   charon   12[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]   
2022-06-06T22:16:27-07:00   Informational   charon   12[NET] <2> received packet: from 10.0.0.100[42573] to 10.0.0.1[500] (716 bytes)

I have to remove AES-XCBC algorithm and use SHA256 only to accommodate strongSwan Android app and Windows client, while the Android default VPN client is still broken.

I found this thread https://bytemeta.vip/repo/strongswan/strongswan/issues/1026 but not sure if it's related. Is --disable-kdf added to the configure options? If so, removing it may fix the issue.

[franco]

There was another report on Reddit about strongswan revert making things work again.

# opnsense-revert -r 22.1.7 strongwan

It would point to a problem within the latest release https://github.com/strongswan/strongswan/releases/tag/5.9.6


Cheers,
Franco

[franco]

For reference: https://www.reddit.com/r/opnsense/comments/uxdfd9/opnsense_2218_released/i9x2phn/?utm_source=reddit&utm_medium=web2x&context=3

[franco]

Can someone with the issue try this KDF-enabled package?

# pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/misc/strongswan-kdf.pkg


Thanks,
Franco

[sunmast]

The command pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/misc/strongswan-kdf.pkg fixed the problem. Thanks!

[breakaway]

Confirmed, fixed for me also.

[franco]

Thanks, we discussed the change here in FreeBSD https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263748 best case they flip it on by default or we do. Either way in 22.1.9 this will be fixed. Thanks for reporting and testing

[JohnDoe17]

Just wanted to tag on to this.  I'm having the same problem: "KDF_PRF with PRF_UNDEFINED not supported" with my IPsec configuration.

The strongwan-kdf.pkg fixed it for me also.