The pfSense Store

Author Topic: AES-256 for mobile clients broken in 1.2.3 ??  (Read 1605 times)

0 Members and 1 Guest are viewing this topic.

Offline robbo

  • Newbie
  • *
  • Posts: 3
    • View Profile
AES-256 for mobile clients broken in 1.2.3 ??
« on: March 01, 2010, 08:18:33 am »
Having several successful 1.2.3-RC1 full installs going I have delved into imbedded with 1.2.3 Release.

I see between these releases that configuration for AES encryption has changed to AES-256

Running to support Mobile clients I cannot get AES-256 to come up in phase2.  Enabling DES etc comes straight up.

For AES-256 at the server end (imbedded 2G images) creates a few pfkey errors INVALID argument and no entries are put in the SAD database. At the client end (FULL install) all is well and SAD entries are created with no errors seen.

Has anyone else seen this?

Thanks

Offline robbo

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: AES-256 for mobile clients broken in 1.2.3 ??
« Reply #1 on: April 12, 2010, 08:44:23 am »
Just to clarify this issue using AES-256 for phase 2 DOES NOT WORK

When used between two pfsense 1.3 installs and also between a pfsense release 1.3 and IPSecuritas as road warrior.

The remote end appears to come up and install IPSEC SA but the pfsense end appears to agree phase 2 negotiation of AES 256 but is unable to apply the configuration reporting instead INVALID argument.

If I change my remote clients to use AES-128 in the second phase all is well.

I suggest this could simply be the difference between AES 256 and AES-256 but can't see any further with debug.

The pfsense mobile-client "server" reports the folllowing;

 DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey UPDATE message
2010-04-12 13:20:36: ERROR: pfkey UPDATE failed: Invalid argument
2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey ADD message
2010-04-12 13:20:36: ERROR: pfkey ADD failed: Invalid argument
2010-04-12 13:20:36: DEBUG: pk_recv: retry[0] recv()
2010-04-12 13:20:36: DEBUG: get pfkey X_SPDUPDATE message





Offline robbo

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: AES-256 for mobile clients broken in 1.2.3 ??
« Reply #2 on: April 12, 2010, 09:42:43 am »
This time including IPSEC configs

Pfsense 1.3 imbedded

Phase 1 Proposal
   negotiation > main
   identifier   > My IP address
   enc alg   > AES-256
   hash alg > SHA1
   DH grp   > 1
   DPD
   Lifetime 1800
   Auth Method > RSA Sig
   cert > present
   Key > present
   
Phase 2 Proposal
   Protocol > ESP
   Encr alg > AES-256
   Hash Alg > SHA1
   PFS Key Grp   > 2
   Lifetime 1800
   
   
IPSecuritas

Phase1
Life > 1800
DH Grp > 768 (1)
Enc   >   AES 256
Auth   > SHA-1
Exch   > Main
Proposal Check > Obey
Nonce Size > 16

Phase 2
LIfetime > 1800
PFS Grp > 1024 (2)
Encrp > AES 256 AES 192 AES 128
Auth > HMAC SHA-1

ID

Local > Cert
Remote > Address

Auth Method : Certificates