From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b5XBw2PsWz32fj for ; Mon, 26 May 2025 10:32:24 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b5XBr60M9z2xng for ; Mon, 26 May 2025 10:32:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b5XBp0J5Tz34c; Mon, 26 May 2025 10:32:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1748255540; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m43kXaBevZDaBOzb8ynCXzj3KHp65zGMYKQlcDuORQU=; b=cMr4LzRFpYc7o56GVmlkx7X5ebKjR1Kl8YS53GMNq9LbXAyg2C4nnvBxgevKMueDRBgtf8 ixhN84G4U+SnUaCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1748255540; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m43kXaBevZDaBOzb8ynCXzj3KHp65zGMYKQlcDuORQU=; b=gZv73R6l4riSTdzc7dTZPd3u2EaedAEErXvgW+6cV0MoZrpkP0FIkPw037VweSLZkIlEMi 7yMI4LpPynDm9dSNnp9SbXd0gu+gesIm9oVAgiV5Kaz68zJxT/4gyArlVYsyw2xQYmQuQT sJWl6MRv/8C/FaB1edwsRjK6YPgxlzl3BF4LlpbhR0pBuJogFZ5etIsdUgXGOIfsxGvVYO DIH43/uN8I5bsBd9EkEq5U1Hko1Vtv/IWzbDMtjxEAuZc4tQNI4Bn6BMhvxZHx7AG1UDhW PU6HlJ4OkgLQv3A3QjlGbxp6Oo/diHxqYXoVDWlzBN5HGjLlbmsDkZOR7isEDQ== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH 2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM From: Michael Tremer In-Reply-To: Date: Mon, 26 May 2025 11:32:09 +0100 Cc: "IPFire: Development" Content-Transfer-Encoding: quoted-printable Message-Id: <7F8BE5B9-47B1-4B74-AB0A-1A8F04E3358E@ipfire.org> References: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org> To: =?utf-8?Q?Peter_M=C3=BCller?= Hello Peter, Thanks for this patch. > On 15 May 2025, at 09:09, Peter M=C3=BCller = wrote: >=20 > This causes existing IPsec connections using ML-KEM to always use it = in > conjunction with Curve 25519, in line with the changes = dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 > implements for newly configured IPsec connections. >=20 > Again, we can reasonably assume an IPsec peer supporting ML-KEM also > supports Curve 25519. In case such a peer does not support RFC 9370, = and > the IPsec connection was created using our default ciphers, it will = fall > back to Curve 448, Curve 25519, or any other traditional algorithm. >=20 > This patch will break existing IPsec connections only if they are > exclusively using ML-KEM (which means the IPFire user reconfigured = them > manually using the "advanced connection settings" section in the = WebUI), > and the IPsec peer is configured in the same manner, and/or is an = IPFire > machine not yet updated to Core Update 196. Any other IPFire-to-IPFire > IPsec connection will continue working, potentially falling back to > Curve 448 or 25519 until both peers are updated to Core Update 196, > after which ML-KEM in conjunction with Curve 25519 will be used again. >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/rootfiles/core/196/update.sh | 8 ++++++++ > 1 file changed, 8 insertions(+) >=20 > diff --git a/config/rootfiles/core/196/update.sh = b/config/rootfiles/core/196/update.sh > index 0138fabcf..4f92b998b 100644 > --- a/config/rootfiles/core/196/update.sh > +++ b/config/rootfiles/core/196/update.sh > @@ -32,6 +32,7 @@ for (( i=3D1; i<=3D$core; i++ )); do > done >=20 > # Stop services > +/etc/rc.d/init.d/ipsec stop >=20 > # Remove files > rm -rfv \ > @@ -65,7 +66,14 @@ esac > # Apply SSH configuration > #/usr/local/bin/sshctrl >=20 > +# Change IPsec configuration of existing connections using ML-KEM > +# to always make use of hybrid key exchange in conjunction with Curve = 25519. > +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf I believe this is not what you intend. You are changing the generated configuration file, but more likely, you = want to change /var/ipfire/vpn/config where we are storing the = properties of the connections. Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf. -Michael > + > # Start services > +if grep -q "ENABLED=3Don" /var/ipfire/vpn/settings; then > + /etc/rc.d/init.d/ipsec start > +fi >=20 > # This update needs a reboot... > #touch /var/run/need_reboot > --=20 > 2.43.0 >=20