customize ipsec weak cipher sets

Started by m256, November 17, 2024, 11:51:49 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 17, 2024, 11:51:49 AM
Hello,
I need to temporarily make an ipsec connection to some old tp-link router which supports just weak cipher sets nothing more secure than AES128-SHA1-DH5.
I know it is not available in GUI for good reasons and the support has been removed, but what if i manually edit some conf files (ipsec.conf, swanctl.con) etc.?
Is adding charon {     proposals = 3des-sha1-modp1536 } gonna do something?
What about editing conf backup and adding 3des-sha1-modp1536 to tunnel proposals?
Thanks!
November 17, 2024, 12:20:13 PM #1
https://docs.opnsense.org/manual/vpnet.html

Check out the custom configuration section for ipsec.

You can do anything in here that strongswan supports.
Hardware:
DEC740
November 17, 2024, 01:25:14 PM #2
Thank you. Seems like i was on the right track.
So to get insecure ciphers for ipsec my friend can:
1) add custom.conf with
charon {
   proposals = 3des-sha1-modp1536, aes128-sha1-modp1536
}

2) edit backup-config.xml and set this to connection node of the tunnel
<proposals>default,3des-sha1-modp1536, aes128-sha1-modp1536</proposals>

3) restore modded backup file

Correct?
Thanks!
November 17, 2024, 01:28:14 PM #3
I would set the whole custom tunnel in that custom configuration file.

I would not edit the config.xml or restore a tampered backup.
Hardware:
DEC740
November 25, 2024, 01:27:44 PM #4
Does this note in the documentation which says "...will not be mainted by the user interface,..." mean that it won't be possible to choose a custom proposal from the UI? If that is true then how would they be applied to an IPsec policy?
November 26, 2024, 01:14:03 PM #5
Yes, that was my point. You are not allowed to set custom (weak) ciphers from UI, so you have to play with custom config files. I don't feel do all doing all tunnel settings in custom config, that's why I investigated restoring tampered backups alternative.
November 26, 2024, 01:49:25 PM #6
Unfortunately vpnet.html is not clear on what is required here.
Am I supposed to do the entire VPN tunnel configuration as a new file in /usr/local/etc/strongswan.opnsense.d/? Or am I able to override one or more parameters by dropping a file in there?
The documentation needs some examples of what custom config looks like.
November 26, 2024, 02:00:40 PM #7 Last Edit: November 26, 2024, 02:02:48 PM by Monviech (Cedrik)
Code Select
/usr/local/etc/swanctl/swanctl.conf

At the bottom of that file is this import statement:

Code Select
# Include config snippets
include conf.d/*.conf

This means logically, it must be complete tunnel configurations that do not collide with existing auto generated configuration.

E.g. I want to add another pool, I create a file called:

Code Select
/usr/local/etc/swanctl/conf.d/test.conf

Code Select

pools {
    pool-rw-ipv4i {
        addrs = 172.16.208.0/24
        dns = 172.16.0.254
    }
}


Then:

Code Select
configctl ipsec restart
Code Select
swanctl --list-pools

Code Select

pool-rw-ipv4         172.16.203.0                        0 / 0 / 254
pool-rw-ipv4i        172.16.208.0                        0 / 0 / 254


My custom pool was added.
Hardware:
DEC740
November 26, 2024, 02:19:51 PM #8
As I happens, I managed to work this out.
Given a generated configuration:

Code Select
# cat /usr/local/etc/swanctl/swanctl.conf
# This file is automatically generated. Do not edit
connections {
    00000000-0000-0000-0000-000000000000 {
        proposals = aes256-sha1-modp2048
        unique = no
        aggressive = no
<snip>



We create an override .conf file containing:

Code Select

connections {
    00000000-0000-0000-0000-000000000000 {
        proposals = aes256-sha1-modp1024
        }
}


restart the service and the log confirms that modp1024 was used, not modp2048. There is NO indication in the config GUI that this has happened.
November 26, 2024, 03:16:45 PM #9
Good job,

of course there is no indication in the GUI since everything it presents must be inside /conf/config.xml

There is no controller that parses custom configuration files and displays them.
Hardware:
DEC740
November 30, 2024, 11:44:35 PM #10 Last Edit: December 01, 2024, 12:35:48 AM by m256
Managed to get over P1 using the custom conf. However no luck with P2 - i was not able to define 3des-sha1 proposal with any combination of config (triedg addin children node with esp_proposals etc.).

Isabella, did you manage to have the tunnel fully working? Also, in your custom conf file - did you use the connection id the same as in swanctl.conf, or you created full new settings (including p2 children section etc.)? Thanks!

Cedrik, the tampered backup trick had no effect in the connection (leading to no proposal chosen).
BTW If anyone struggle to see what are the proposals received - you can either set log level to "include sensitive information" to see proposals in syslog or use tcpdump
December 02, 2024, 10:58:44 AM #11
QuoteIsabella, did you manage to have the tunnel fully working?

I wish I could tell you - the other end just keeps sending back NO_PROP and the administrator doesn't seem to know how to look at his logs. But I am confident that my end is using what I think I have configured, as my logs agree with the config I have created. But you just need to bear in mind that I don't 100% know my assertion of how to configure this is true, because I don't have a ph2 up yet :)

QuoteAlso, in your custom conf file - did you use the connection id the same as in swanctl.conf, or you created full new settings (including p2 children section etc.)? Thanks!

No, not full new settings. Just overriding some elements of what was configured in UI, and then always remembering in future that what the UI says about the configuration may not be true.
The UUIDs need to match at each level.

Code Select

connections {
    <the connection UUID from swanctl.conf> {
        proposals = aes256-sha1-modp1024
        children {
            <the child UUID from swanctl.conf> {
                esp_proposals = aes256-sha1
       
        }
}
}
}
December 02, 2024, 11:04:38 AM #12
Are you sure this does not create any race conditions between the GUI config and the overwritten config?

Is it always the same proposals after every reload/restart of the service?

I would rather create the full tunnel as single imported configuration with no GUI elements creating the same configuration.
Hardware:
DEC740
December 02, 2024, 11:20:54 AM #13
QuoteAre you sure this does not create any race conditions between the GUI config and the overwritten config?

I am not really sure about anything because I don't have Ph1 + Ph2 up and traffic passing yet and I have guessed how to configure this because I find the documentation to be unclear. However, if the "include" feature in Strongswan turns out to have some race condition which results in an indeterminate configuration, then that would be a pretty serious caveat [which should be documented loud and clear], and probably renders the include mechanism unusable in production environments.

QuoteIs it always the same proposals after every reload/restart of the service?

I can test that easily enough with, say, 10 restarts of the service.
December 03, 2024, 03:13:12 PM #14
So, good news: I have tried with custom configs- created custom config file in swanctl\conf.d
I made a completely new connection with unique id and full settings. It worked - even with deprecated ciphers.
I also tried adding just an update to settings made in GUI like this:
Code Select

connections {
    con1 {
        children {
            con1 {
                esp_proposals = aes128-sha1
            }
        }
    }
}

this worked fine as well.

What does not work is 3des for ESP. This is not done by strongswan, but kernel. Adding 3des support to freebsd would likely mean kernel recompiling.
Print
Go Up Pages1 2
User actions