aes128gcm16-aesxcbc-modp2048 missing after 23.7.7 update

[olest]

Hi,

After updating to 23.7.7 I can no longer choose aes128gcm16-aesxcbc-modp2048 in new IPSEC Connections Proposals.

[MoonbeamFrame]

And I have some existing OPNsense to OPNsense tunnels where the Proposals now say Nothing selected.

Though the tunnels are up-and-running OK.

[franco]

Investigating this now.


Cheers,
Franco

[mimugmail]

aes128gcm16-aesxcbc-modp2048

Cyphers with GCM already include a auth mech like md5, sha, aesxcbc, those values are useless.

[franco]

According to strongswan "it depends":

https://users.strongswan.narkive.com/0YfEZ2CS/question-about-ike-aes256gcm16-aesxcbc-modp2048-in-ipsec-conf

I think we'd rather put back what we had offered before quickly and reassess this later in a proper data migration. PRF prefix-or-not and ESP/IKE modularity is a bit difficult to unwind on short notice.


Cheers,
Franco

[franco]

This should bring the selected item back? https://github.com/opnsense/core/commit/cde83b0a0c

# opnsense-patch cde83b0a0c


Cheers,
Franco

[olest]

Thank you.

[franco]

Counting that as a "yes it does"? :)

[olest]

It does work now :)

[franco]

Ok, I'll proceed to hotfix this tomorrow just to avoid further irritation about it.


Cheers,
Franco

[olest]

ok,

Is aes256-sha256-modp1024[DH2] / AES (256 bits) + SHA256 + DH Group 2 not an option with the new connection proposals. I'm having one IPSEC IKEv1 using it.

[franco]

I think modp1024 is considered deprecated. Wasn't in 23.7.6 either, right?


Cheers,
Franco

[olest]

ok, I have not tried to find it in IPSEC new connections before now. Only in legacy IPSEC. I'll update to DH14 I think.