Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» IPsec» AES-256 for mobile clients broken in 1.2.3 ??
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: AES-256 for mobile clients broken in 1.2.3 ??  (Read 1351 times)
0 Members and 1 Guest are viewing this topic.
robbo
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: March 01, 2010, 09:18:33 am »
Having several successful 1.2.3-RC1 full installs going I have delved into imbedded with 1.2.3 Release.

I see between these releases that configuration for AES encryption has changed to AES-256

Running to support Mobile clients I cannot get AES-256 to come up in phase2.  Enabling DES etc comes straight up.

For AES-256 at the server end (imbedded 2G images) creates a few pfkey errors INVALID argument and no entries are put in the SAD database. At the client end (FULL install) all is well and SAD entries are created with no errors seen.

Has anyone else seen this?

Thanks
Logged
robbo
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #1 on: April 12, 2010, 08:44:23 am »
Just to clarify this issue using AES-256 for phase 2 DOES NOT WORK

When used between two pfsense 1.3 installs and also between a pfsense release 1.3 and IPSecuritas as road warrior.

The remote end appears to come up and install IPSEC SA but the pfsense end appears to agree phase 2 negotiation of AES 256 but is unable to apply the configuration reporting instead INVALID argument.

If I change my remote clients to use AES-128 in the second phase all is well.

I suggest this could simply be the difference between AES 256 and AES-256 but can't see any further with debug.

The pfsense mobile-client "server" reports the folllowing;

 DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey UPDATE message
2010-04-12 13:20:36: ERROR: pfkey UPDATE failed: Invalid argument
2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey ADD message
2010-04-12 13:20:36: ERROR: pfkey ADD failed: Invalid argument
2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey X_SPDUPDATE message
Logged
robbo
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #2 on: April 12, 2010, 09:42:43 am »
This time including IPSEC configs

Pfsense 1.3 imbedded

Phase 1 Proposal
   negotiation > main
   identifier   > My IP address
   enc alg   > AES-256
   hash alg > SHA1
   DH grp   > 1
   DPD
   Lifetime 1800
   Auth Method > RSA Sig
   cert > present
   Key > present
   
Phase 2 Proposal
   Protocol > ESP
   Encr alg > AES-256
   Hash Alg > SHA1
   PFS Key Grp   > 2
   Lifetime 1800
   
   
IPSecuritas

Phase1
Life > 1800
DH Grp > 768 (1)
Enc   >   AES 256
Auth   > SHA-1
Exch   > Main
Proposal Check > Obey
Nonce Size > 16

Phase 2
LIfetime > 1800
PFS Grp > 1024 (2)
Encrp > AES 256 AES 192 AES 128
Auth > HMAC SHA-1

ID

Local > Cert
Remote > Address

Auth Method : Certificates
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.032 seconds with 20 queries.