Page MenuHomeVyOS Platform
Create Task
Maniphest T334

Not setting ESP DH Group properly on "esp=" line in ipsec.conf
Closed, ResolvedPublicBUG
Actions

Description

I had been attempting to get a stable site-to-site VPN connection, and it kept dropping whenever the other side attempted to initiate. The logs were showing the following error:

Jul 13 14:02:33 vyos-prod charon: 01[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jul 13 14:02:33 vyos-prod charon: 01[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Even though PFS was configured for dh-group14 implicitly, the local config wasn't reporting it's proposal to the other side with MODP_2048 in it.

Looking at the /etc/ipsec.conf:

ike=aes256-sha256-modp2048!
keyexchange=ikev2
reauth=no
ikelifetime=28800s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
pfsgroup=modp2048

Clearly the pfsgroup was in there, but I noticed it wasn't on the "esp=" line like it was with "ike=". So, I manually changed the "esp=" line to read:
esp=aes256-sha256-modp2048!

After that I restarted the ipsec process, and the error went away, and the connection remained stable.
Now I am worried that I will have to remember to redo that change in the ipsec.conf any time I adjust any ipsec settings.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.1.7
Why the issue appeared?
Will be filled on close

Event Timeline

ethomas created this task.Jul 17 2017, 6:33 PM
syncer assigned this task to dmbaturin.Aug 1 2017, 2:55 AM
syncer triaged this task as Normal priority.
syncer added subscribers: dmbaturin, Community, syncer.

All IPSec stuff goes directly to @dmbaturin

ethomas added a comment.Aug 2 2017, 9:03 PM

FYI, as a reference that the esp= line should be formatted as I suggest:
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

#   ike=3des-md5-modp1024!
#   esp=3des-md5!
# Use this, if you want PFS with DH group 2.
#   esp=3des-md5-modp1024!

I also went ahead and modified /opt/vyatta/sbin/vpn-config.pl to do this. I'm attaching my patch file for your convenience.

vpn-config.pl.patch2 KBDownload

syncer moved this task from Need Triage to Backlog on the VyOS 1.1.x board.Aug 5 2017, 10:51 PM
syncer edited projects, added VyOS 1.1.x (1.1.8); removed VyOS 1.1.x.Aug 21 2017, 1:48 AM

@dmbaturin confirmed that it can be included in 1.1.8

syncer moved this task from Needs Triage to Backlog on the VyOS 1.1.x (1.1.8) board.Aug 21 2017, 1:48 AM
UnicronNL closed this task as Resolved.Sep 6 2017, 6:09 PM
UnicronNL moved this task from Backlog to Finished on the VyOS 1.1.x (1.1.8) board.
DaRK added a subscriber: DaRK.EditedMay 12 2018, 7:50 AM

The patch only resolves the issue when an explicit dh-group is defined. The 'pfs enable' option, using ike-group's dh-group still exhibits the issue.

For reference, our patch on 1.1.7

vpn-config-pfs.patch7 KBDownload

@dmbaturin this is tagged as resolved in 1.1.8; though evaluating the release it doesn't look to be included.