Hello Michael, > Hello Peter, > > Thanks for this patch. > >> On 15 May 2025, at 09:09, Peter Müller <[email protected]> wrote: >> >> This causes existing IPsec connections using ML-KEM to always use it in >> conjunction with Curve 25519, in line with the changes >> dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 >> implements for newly configured IPsec connections. >> >> Again, we can reasonably assume an IPsec peer supporting ML-KEM also >> supports Curve 25519. In case such a peer does not support RFC 9370, and >> the IPsec connection was created using our default ciphers, it will fall >> back to Curve 448, Curve 25519, or any other traditional algorithm. >> >> This patch will break existing IPsec connections only if they are >> exclusively using ML-KEM (which means the IPFire user reconfigured them >> manually using the "advanced connection settings" section in the WebUI), >> and the IPsec peer is configured in the same manner, and/or is an IPFire >> machine not yet updated to Core Update 196. Any other IPFire-to-IPFire >> IPsec connection will continue working, potentially falling back to >> Curve 448 or 25519 until both peers are updated to Core Update 196, >> after which ML-KEM in conjunction with Curve 25519 will be used again. >> >> Signed-off-by: Peter Müller <[email protected]> >> --- >> config/rootfiles/core/196/update.sh | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/config/rootfiles/core/196/update.sh >> b/config/rootfiles/core/196/update.sh >> index 0138fabcf..4f92b998b 100644 >> --- a/config/rootfiles/core/196/update.sh >> +++ b/config/rootfiles/core/196/update.sh >> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do >> done >> >> # Stop services >> +/etc/rc.d/init.d/ipsec stop >> >> # Remove files >> rm -rfv \ >> @@ -65,7 +66,14 @@ esac >> # Apply SSH configuration >> #/usr/local/bin/sshctrl >> >> +# Change IPsec configuration of existing connections using ML-KEM >> +# to always make use of hybrid key exchange in conjunction with Curve 25519. >> +sed -i -e "s@-mlkem@-x25519-ke1_mlkem@g" /etc/ipsec.conf > > I believe this is not what you intend. > > You are changing the generated configuration file, but more likely, you want > to change /var/ipfire/vpn/config where we are storing the properties of the > connections. > > Afterwards, you should call vpnmain.cgi to generate /etc/ipsec.conf.
ah, right. Apologies - its been a while. :-/ I'll submit a second version of the patchset in due course. All the best, Peter Müller > > -Michael > >> + >> # Start services >> +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then >> + /etc/rc.d/init.d/ipsec start >> +fi >> >> # This update needs a reboot... >> #touch /var/run/need_reboot >> -- >> 2.43.0 >> > >
