Not setting ESP DH Group properly on "esp=" line in ipsec.conf
Closed, ResolvedPublicBUG


I had been attempting to get a stable site-to-site VPN connection, and it kept dropping whenever the other side attempted to initiate. The logs were showing the following error:

Jul 13 14:02:33 vyos-prod charon: 01[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jul 13 14:02:33 vyos-prod charon: 01[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

Even though PFS was configured for dh-group14 implicitly, the local config wasn't reporting it's proposal to the other side with MODP_2048 in it.

Looking at the /etc/ipsec.conf:


Clearly the pfsgroup was in there, but I noticed it wasn't on the "esp=" line like it was with "ike=". So, I manually changed the "esp=" line to read:

After that I restarted the ipsec process, and the error went away, and the connection remained stable.
Now I am worried that I will have to remember to redo that change in the ipsec.conf any time I adjust any ipsec settings.


Difficulty level
Unknown (require assessment)
VyOS 1.1.7
Why the issue appeared?
Will be filled on close
ethomas created this task.Jul 17 2017, 6:33 PM
syncer assigned this task to dmbaturin.Aug 1 2017, 2:55 AM
syncer triaged this task as Normal priority.
syncer added subscribers: dmbaturin, Community, syncer.

All IPSec stuff goes directly to @dmbaturin

FYI, as a reference that the esp= line should be formatted as I suggest:

#   ike=3des-md5-modp1024!
#   esp=3des-md5!
# Use this, if you want PFS with DH group 2.
#   esp=3des-md5-modp1024!

I also went ahead and modified /opt/vyatta/sbin/ to do this. I'm attaching my patch file for your convenience.

syncer moved this task from Need Triage to Backlog on the VyOS 1.1.x board.Aug 5 2017, 10:51 PM

@dmbaturin confirmed that it can be included in 1.1.8

UnicronNL moved this task from Backlog to Finished on the VyOS 1.1.x (1.1.8) board.Sep 6 2017, 6:09 PM
UnicronNL closed this task as Resolved.
DaRK added a subscriber: DaRK.EditedMay 12 2018, 7:50 AM

The patch only resolves the issue when an explicit dh-group is defined. The 'pfs enable' option, using ike-group's dh-group still exhibits the issue.

For reference, our patch on 1.1.7

@dmbaturin this is tagged as resolved in 1.1.8; though evaluating the release it doesn't look to be included.