Re: [PATCH 2/2] Core Update 196: Adjust existing IPsec connections using ML-KEM

["Peter Müller" <peter.mueller@ipfire.org>]

Hello Michael,

> Hello Peter,
> 
> Thanks for this patch.
> 
>> On 15 May 2025, at 09:09, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> This causes existing IPsec connections using ML-KEM to always use it in
>> conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
>> implements for newly configured IPsec connections.
>>
>> Again, we can reasonably assume an IPsec peer supporting ML-KEM also
>> supports Curve 25519. In case such a peer does not support RFC 9370, and
>> the IPsec connection was created using our default ciphers, it will fall
>> back to Curve 448, Curve 25519, or any other traditional algorithm.
>>
>> This patch will break existing IPsec connections only if they are
>> exclusively using ML-KEM (which means the IPFire user reconfigured them
>> manually using the "advanced connection settings" section in the WebUI),
>> and the IPsec peer is configured in the same manner, and/or is an IPFire
>> machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
>> IPsec connection will continue working, potentially falling back to
>> Curve 448 or 25519 until both peers are updated to Core Update 196,
>> after which ML-KEM in conjunction with Curve 25519 will be used again.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/rootfiles/core/196/update.sh | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh
>> index 0138fabcf..4f92b998b 100644
>> --- a/config/rootfiles/core/196/update.sh
>> +++ b/config/rootfiles/core/196/update.sh
>> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
>> done
>>
>> # Stop services
>> +/etc/rc.d/init.d/ipsec stop
>>
>> # Remove files
>> rm -rfv \
>> @@ -65,7 +66,14 @@ esac
>> # Apply SSH configuration
>> #/usr/local/bin/sshctrl
>>
>> +# Change IPsec configuration of existing connections using ML-KEM
>> +# to always make use of hybrid key exchange in conjunction with Curve 25519.
>> +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf
> 
> I believe this is not what you intend.
> 
> You are changing the generated configuration file, but more likely, you want to change /var/ipfire/vpn/config where we are storing the properties of the connections.
> 
> Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf.

ah, right. Apologies - its been a while. :-/

I'll submit a second version of the patchset in due course.

All the best,
Peter Müller

> 
> -Michael
> 
>> +
>> # Start services
>> +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
>> + /etc/rc.d/init.d/ipsec start
>> +fi
>>
>> # This update needs a reboot...
>> #touch /var/run/need_reboot
>> -- 
>> 2.43.0
>>
> 
>