[Bug 619193] New: ipsec incompatibilities to previous versions
http://bugzilla.novell.com/show_bug.cgi?id=619193 http://bugzilla.novell.com/show_bug.cgi?id=619193#c0 Summary: ipsec incompatibilities to previous versions Classification: openSUSE Product: openSUSE 11.3 Version: RC 1 Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Release Notes AssignedTo: ke@novell.com ReportedBy: mt@novell.com QAContact: coolo@novell.com CC: agruen@novell.com Found By: --- Blocker: --- There are two changes about kernel ipsec / strongswan, that should IMO be mentioned in release notes: * Added required userland changes for proper SHA256 and SHA384/512 in ESP that will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now configures the kernel with 128 bit truncation, not the non-standard 96 bit truncation used by previous releases. To use the old 96 bit truncation scheme, the new "sha256_96" proposal keyword has been introduced. When the user (updates from 11.2 or) configures ESP on 11.3, e.g. "esp=aes128-sha256" in a connection to a peer with an old kernel, the new and old kernels will be unable to communicate. AFAIS, there is no error or debug message visible about. Workaround is to modify the connections in the ipsec.conf of the new system to use the old/non-standard 96 bit truncation, e.g. "esp=aes128-sha256_96" as described above or e.g. "esp=aes128-sha256_128" on the peer using the old kernel (when the old peer supports it). The another fix is in strongswan: * Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This change makes IPcomp tunnel mode connections incompatible with previous releases; disable compression on such tunnels. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c1
Karl Eichwalder
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c2
--- Comment #2 from Marius Tomaschewski
Thanks for the detailed input--I hope I got it right. Here is my proposal:
<!-- bnc#619193 --> <sect3 id="sec.113.ipsec"> <title>Incompatible IPsec and strongSwan Changes</title>
<para>The "sha256"/"sha2_256" keywords now configure the kernel with 128-bit truncation, not the non-standard 96-bit truncation used by previous releases. If you depend on the 96-bit truncation scheme, use the new "sha256_96" keyword—this might be necessary, if you want to establish a connection with an old kernel (openSUSE 11.2 or earlier).</para>
<para>In those case modify the connection settings to the old and non-standard 96-bit truncation in the <filename>ipsec.conf</filename> of the new system:</para>
<screen>esp=aes128-sha256_96</screen>
Yes, the mapping is actually: sha, AUTH_HMAC_SHA1_96 sha1, AUTH_HMAC_SHA1_96 sha256, AUTH_HMAC_SHA2_256_128 sha2_256, AUTH_HMAC_SHA2_256_128 sha256_96, AUTH_HMAC_SHA2_256_96 sha2_256_96, AUTH_HMAC_SHA2_256_96 sha384, AUTH_HMAC_SHA2_384_192 sha2_384, AUTH_HMAC_SHA2_384_192 sha512, AUTH_HMAC_SHA2_512_256 sha2_512, AUTH_HMAC_SHA2_512_256 But better you remove this statement again:
<para>Or on the peer using the old kernel, when it supports it:</para>
<screen>"esp=aes128-sha256_128"</screen>
It worked for me yesterday on SLE-11-SP1, but maybe I've made some mistake in my setup... I can't find any explicit _128 in the proposal_keywords table.
<para>There is also an incompatible strongSwan change. IPComp in tunnel mode was fixed to strip out the duplicated outer header. This change makes IPcomp tunnel mode connections incompatible with previous releases. Disable compression on such tunnels.</para> </sect3>
Yes. compress="no" is default: compress whether IPComp compression of content is proposed on the connection (link-level compression does not work on encrypted data, so to be effective, compression must be done before encryption); acceptable values are yes and no (the default). A value of yes causes IPsec to propose both compressed and uncompressed, and prefer compressed. A value of no prevents IPsec from proposing compression; a proposal to compress will still be accepted. IKEv2 does not support IP compression yet. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c3
--- Comment #3 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c4
--- Comment #4 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c5
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c6
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c7
--- Comment #7 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c8
--- Comment #8 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c9
--- Comment #9 from Karl Eichwalder
But better you remove this statement again:
<para>Or on the peer using the old kernel, when it supports it:</para>
<screen>"esp=aes128-sha256_128"</screen>
It worked for me yesterday on SLE-11-SP1, but maybe I've made some mistake in my setup... I can't find any explicit _128 in the proposal_keywords table. ..
Ok, this is my version now: <!-- bnc#619193 --> <sect3 id="sec.113.ipsec"> <title>Incompatible IPsec and strongSwan Changes</title> <para>The "sha256"/"sha2_256" keywords now configure the kernel with 128-bit truncation, not the non-standard 96-bit truncation used by previous releases. If you depend on the 96-bit truncation scheme, use the new "sha256_96" keyword—this might be necessary, if you want to establish a connection with an old kernel (openSUSE 11.2 or earlier).</para> <para>In those case modify the connection settings to the old and non-standard 96-bit truncation in the <filename>ipsec.conf</filename> of the new system:</para> <screen>esp=aes128-sha256_96</screen> <para>There is also an incompatible strongSwan change. IPComp in tunnel mode was fixed to strip out the duplicated outer header. This change makes IPComp tunnel mode connections incompatible with previous releases. Disable compression on such tunnels.</para> </sect3> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c
Karl Eichwalder
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c10
--- Comment #10 from Marius Tomaschewski
Ok, this is my version now:
IMO it looks good. Thanks! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c11
Karl Eichwalder
http://bugzilla.novell.com/show_bug.cgi?id=619193
http://bugzilla.novell.com/show_bug.cgi?id=619193#c12
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com