Re: [PATCH 2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM

[Michael Tremer <michael.tremer@ipfire.org>]

Hello Peter,

Thanks for this patch.

> On 15 May 2025, at 09:09, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This causes existing IPsec connections using ML-KEM to always use it in
> conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
> implements for newly configured IPsec connections.
> 
> Again, we can reasonably assume an IPsec peer supporting ML-KEM also
> supports Curve 25519. In case such a peer does not support RFC 9370, and
> the IPsec connection was created using our default ciphers, it will fall
> back to Curve 448, Curve 25519, or any other traditional algorithm.
> 
> This patch will break existing IPsec connections only if they are
> exclusively using ML-KEM (which means the IPFire user reconfigured them
> manually using the "advanced connection settings" section in the WebUI),
> and the IPsec peer is configured in the same manner, and/or is an IPFire
> machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
> IPsec connection will continue working, potentially falling back to
> Curve 448 or 25519 until both peers are updated to Core Update 196,
> after which ML-KEM in conjunction with Curve 25519 will be used again.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/rootfiles/core/196/update.sh | 8 ++++++++
> 1 file changed, 8 insertions(+)
> 
> diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
> index 0138fabcf..4f92b998b 100644
> --- a/config/rootfiles/core/196/update.sh
> +++ b/config/rootfiles/core/196/update.sh
> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
> done
> 
> # Stop services
> +/etc/rc.d/init.d/ipsec stop
> 
> # Remove files
> rm -rfv \
> @@ -65,7 +66,14 @@ esac
> # Apply SSH configuration
> #/usr/local/bin/sshctrl
> 
> +# Change IPsec configuration of existing connections using ML-KEM
> +# to always make use of hybrid key exchange in conjunction with Curve 25519.
> +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf

I believe this is not what you intend.

You are changing the generated configuration file, but more likely, you want to change /var/ipfire/vpn/config where we are storing the properties of the connections.

Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf.

-Michael

> +
> # Start services
> +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
> + /etc/rc.d/init.d/ipsec start
> +fi
> 
> # This update needs a reboot...
> #touch /var/run/need_reboot
> -- 
> 2.43.0
>