MLKEM IPsec connections dropped after Core Update 196 update

Getting Started with IPFire Updates Trouble
1

With Core Update 195, I used the MLKEM (256-bit) algorithm in some of my IPSec VPN connections.

After updating from Core Update 195 to Core Update 196, all IPsec VPN connections using the MLKEM (256-bit) algorithm were disconnected.

First I checked the IPSec connections in the GUI, I noticed that the IKE and ESP Grouptypes were not selected.

Then I checked the /var/ipfire/vpn/config file, I noticed that all “mlkem1024” entries had changed to “x25519-ke1_mlkem1024”.

When I re-selected the IKE and ESP Grouptypes to MLKEM (256-bit) in the GUI IPSec interface, all “x25519-ke1_mlkem1024” entries in the /var/ipfire/vpn/config file changed to “mlkem1024” and the IPSec VPN connections were re-established.

I checked the IPFire Github, I saw that the “Commit 5ed68a1 vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519” change included the option “Curve 25519 x ML-KEM 1024 (256 bit)”, but it was not listed in the Core Update 196 option list.

As far as I can tell, the vpnmain.cgi file appears to have been unchanged in Core Update 196 upgrade, at least in my case.

In this case, my solution is to use the latest vpnmain.cgi file from the IPFire Github page.

2

Hallo @ironhand

Welcome to the IPFire community.

I checked back and found that the commit for the change to vpnmain.cgi was merged but it was not shipped with the update but the update did

# Change IPsec configuration of existing connections using ML-KEM
# to always make use of hybrid key exchange in conjunction with Curve 25519.
if ! grep -q "x25519-ke1_mlkem" /var/ipfire/vpn/config; then
	sed -i -e "s@mlkem@x25519-ke1_mlkem@g" /var/ipfire/vpn/config
fi

Sorry for missing this out in the CU196 update.

Anybody doing a fresh install of CU196 will get the updated vpnmain.cgi

I will submit a patch to ship the updated vpnmain.cgi file with the CU197 update so everybody gets it with that update.

EDIT:
Patch has been submitted.
https://lists.ipfire.org/development/20250727082634.3069-1-adolf.belka@ipfire.org/T/#u

3 Likes