Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
« previous
next »
Print
Pages: [
1
]
Author
Topic: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update (Read 1792 times)
olest
Jr. Member
Posts: 69
Karma: 3
aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
on:
October 26, 2023, 12:15:48 pm »
Hi,
After updating to 23.7.7 I can no longer choose aes128gcm16-aesxcbc-modp2048 in new IPSEC Connections Proposals.
Logged
MoonbeamFrame
Jr. Member
Posts: 71
Karma: 2
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #1 on:
October 26, 2023, 01:49:05 pm »
And I have some existing OPNsense to OPNsense tunnels where the
Proposals
now say
Nothing selected
.
Though the tunnels are up-and-running OK.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #2 on:
October 26, 2023, 01:55:58 pm »
Investigating this now.
Cheers,
Franco
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #3 on:
October 26, 2023, 02:52:38 pm »
aes128gcm16-aesxcbc-modp2048
Cyphers with GCM already include a auth mech like md5, sha, aesxcbc, those values are useless.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #4 on:
October 26, 2023, 03:06:26 pm »
According to strongswan "it depends":
https://users.strongswan.narkive.com/0YfEZ2CS/question-about-ike-aes256gcm16-aesxcbc-modp2048-in-ipsec-conf
I think we'd rather put back what we had offered before quickly and reassess this later in a proper data migration. PRF prefix-or-not and ESP/IKE modularity is a bit difficult to unwind on short notice.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #5 on:
October 26, 2023, 03:23:31 pm »
This should bring the selected item back?
https://github.com/opnsense/core/commit/cde83b0a0c
# opnsense-patch cde83b0a0c
Cheers,
Franco
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #6 on:
October 26, 2023, 04:15:11 pm »
Thank you.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #7 on:
October 26, 2023, 05:07:08 pm »
Counting that as a "yes it does"?
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #8 on:
October 26, 2023, 06:02:07 pm »
It does work now
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #9 on:
October 26, 2023, 07:33:24 pm »
Ok, I'll proceed to hotfix this tomorrow just to avoid further irritation about it.
Cheers,
Franco
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #10 on:
October 26, 2023, 09:10:18 pm »
ok,
Is aes256-sha256-modp1024[DH2] / AES (256 bits) + SHA256 + DH Group 2 not an option with the new connection proposals. I'm having one IPSEC IKEv1 using it.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #11 on:
October 26, 2023, 09:20:08 pm »
I think modp1024 is considered deprecated. Wasn't in 23.7.6 either, right?
Cheers,
Franco
Logged
olest
Jr. Member
Posts: 69
Karma: 3
Re: aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update
«
Reply #12 on:
October 26, 2023, 09:26:00 pm »
ok, I have not tried to find it in IPSEC new connections before now. Only in legacy IPSEC. I'll update to DH14 I think.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update