Not setting ESP DH Group properly on "esp=" line in ipsec.conf
Closed, ResolvedPublicBUG

Description

I had been attempting to get a stable site-to-site VPN connection, and it kept dropping whenever the other side attempted to initiate. The logs were showing the following error:

Jul 13 14:02:33 vyos-prod charon: 01[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jul 13 14:02:33 vyos-prod charon: 01[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Even though PFS was configured for dh-group14 implicitly, the local config wasn't reporting it's proposal to the other side with MODP_2048 in it.

Looking at the /etc/ipsec.conf:

ike=aes256-sha256-modp2048!
keyexchange=ikev2
reauth=no
ikelifetime=28800s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
pfsgroup=modp2048

Clearly the pfsgroup was in there, but I noticed it wasn't on the "esp=" line like it was with "ike=". So, I manually changed the "esp=" line to read:
esp=aes256-sha256-modp2048!

After that I restarted the ipsec process, and the error went away, and the connection remained stable.
Now I am worried that I will have to remember to redo that change in the ipsec.conf any time I adjust any ipsec settings.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.1.7
Why the issue appeared?
Will be filled on close
ethomas created this task.Jul 17 2017, 6:33 PM
syncer assigned this task to dmbaturin.Aug 1 2017, 2:55 AM
syncer triaged this task as Normal priority.
syncer added subscribers: dmbaturin, Community, syncer.

All IPSec stuff goes directly to @dmbaturin

FYI, as a reference that the esp= line should be formatted as I suggest:
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

#   ike=3des-md5-modp1024!
#   esp=3des-md5!
# Use this, if you want PFS with DH group 2.
#   esp=3des-md5-modp1024!

I also went ahead and modified /opt/vyatta/sbin/vpn-config.pl to do this. I'm attaching my patch file for your convenience.

syncer moved this task from Need Triage to Backlog on the VyOS 1.1.x board.Aug 5 2017, 10:51 PM

@dmbaturin confirmed that it can be included in 1.1.8

UnicronNL moved this task from Backlog to Finished on the VyOS 1.1.x (1.1.8) board.Wed, Sep 6, 6:09 PM
UnicronNL closed this task as Resolved.