[Pkg-swan-devel] Bug#1109942: strongswan-charon: upgrade to 6.0.1-6 causes "key derivation failed" error with older versions
Tobias Brunner
tobias at strongswan.org
Mon Jul 28 06:58:01 BST 2025
Hi Gabriel,
> One of our servers got its strongswan-charon package upgraded from
> 6.0.1-5 to 6.0.1-6 last night. It has ipsec connections to another
> trixie machine that's still using 6.0.1-5 and to a bookworm machine
> that's using 5.9.8-5+deb12u1
>
> No changes to the configuration happened for a while. Since the upgrade
> happened, the host with 6.0.1-6 can't establish connection to the other
> two hosts anymore. If I start the connection manually I can see the
> followup output (peer IP replaced by 1.2.3.4; local IP replaced by 1.2.1.2):
>
> ipsec up connection-name
> initiating IKE_SA connection-name[6] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 1.2.1.2[500] to 1.2.3.4[500] (972 bytes)
> received packet: from 1.2.3.4[500] to 1.2.1.2[500] (280 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> KDF_PRF with PRF_HMAC_SHA2_256 not supported
> key derivation failed
> establishing connection 'connection-name' failed
>
>
> Is this an expected compatibility break or is that an unexpected regression?
If you have OpenSSL 3.5.1 installed, then this is unfortunately
expected. It requires the patches at [1] and [2], which were released
with 6.0.2.
Regards,
Tobias
[1]
https://github.com/strongswan/strongswan/commit/2dbeecfc029ba26647c756b0882bc6e85e2e6b64
[2]
https://github.com/strongswan/strongswan/commit/43b805b2daed48bdf835ca8eeb87b9b71a42781f
More information about the Pkg-swan-devel
mailing list