Hello Peter, Thanks for this patch.
> On 15 May 2025, at 09:09, Peter Müller <[email protected]> wrote: > > This causes existing IPsec connections using ML-KEM to always use it in > conjunction with Curve 25519, in line with the changes > dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 > implements for newly configured IPsec connections. > > Again, we can reasonably assume an IPsec peer supporting ML-KEM also > supports Curve 25519. In case such a peer does not support RFC 9370, and > the IPsec connection was created using our default ciphers, it will fall > back to Curve 448, Curve 25519, or any other traditional algorithm. > > This patch will break existing IPsec connections only if they are > exclusively using ML-KEM (which means the IPFire user reconfigured them > manually using the "advanced connection settings" section in the WebUI), > and the IPsec peer is configured in the same manner, and/or is an IPFire > machine not yet updated to Core Update 196. Any other IPFire-to-IPFire > IPsec connection will continue working, potentially falling back to > Curve 448 or 25519 until both peers are updated to Core Update 196, > after which ML-KEM in conjunction with Curve 25519 will be used again. > > Signed-off-by: Peter Müller <[email protected]> > --- > config/rootfiles/core/196/update.sh | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/config/rootfiles/core/196/update.sh > b/config/rootfiles/core/196/update.sh > index 0138fabcf..4f92b998b 100644 > --- a/config/rootfiles/core/196/update.sh > +++ b/config/rootfiles/core/196/update.sh > @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do > done > > # Stop services > +/etc/rc.d/init.d/ipsec stop > > # Remove files > rm -rfv \ > @@ -65,7 +66,14 @@ esac > # Apply SSH configuration > #/usr/local/bin/sshctrl > > +# Change IPsec configuration of existing connections using ML-KEM > +# to always make use of hybrid key exchange in conjunction with Curve 25519. > +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf I believe this is not what you intend. You are changing the generated configuration file, but more likely, you want to change /var/ipfire/vpn/config where we are storing the properties of the connections. Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf. -Michael > + > # Start services > +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then > + /etc/rc.d/init.d/ipsec start > +fi > > # This update needs a reboot... > #touch /var/run/need_reboot > -- > 2.43.0 >
