From: Peter Müller Date: Mon, 26 May 2025 18:28:00 +0000 (+0000) Subject: Core Update 196: Adjust existing IPsec connections using ML-KEM X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb95115f5af2002830cb2bda255133ebb3619f64;p=ipfire-2.x.git Core Update 196: Adjust existing IPsec connections using ML-KEM This causes existing IPsec connections using ML-KEM to always use it in conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2 implements for newly configured IPsec connections. Again, we can reasonably assume an IPsec peer supporting ML-KEM also supports Curve 25519. In case such a peer does not support RFC 9370, and the IPsec connection was created using our default ciphers, it will fall back to Curve 448, Curve 25519, or any other traditional algorithm. This patch will break existing IPsec connections only if they are exclusively using ML-KEM (which means the IPFire user reconfigured them manually using the "advanced connection settings" section in the WebUI), and the IPsec peer is configured in the same manner, and/or is an IPFire machine not yet updated to Core Update 196. Any other IPFire-to-IPFire IPsec connection will continue working, potentially falling back to Curve 448 or 25519 until both peers are updated to Core Update 196, after which ML-KEM in conjunction with Curve 25519 will be used again. The second version of this patch modifies IPFire's own configuration file for IPsec connections, rather than applying these changes directly to /etc/ipsec.conf, where they would have been overwritten by the next WebUI change. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- diff --git a/config/rootfiles/core/196/update.sh b/config/rootfiles/core/196/update.sh index 0138fabcf..b8f92322f 100644 --- a/config/rootfiles/core/196/update.sh +++ b/config/rootfiles/core/196/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done # Stop services +/etc/rc.d/init.d/ipsec stop # Remove files rm -rfv \ @@ -65,7 +66,17 @@ esac # Apply SSH configuration #/usr/local/bin/sshctrl +# Change IPsec configuration of existing connections using ML-KEM +# to always make use of hybrid key exchange in conjunction with Curve 25519. +sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config + +# Apply changes to ipsec.conf +/srv/web/ipfire/cgi-bin/vpnmain.cgi + # Start services +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/rc.d/init.d/ipsec start +fi # This update needs a reboot... #touch /var/run/need_reboot