[Pkg-swan-devel] Bug#1109942: strongswan-charon: upgrade to 6.0.1-6 causes "key derivation failed" error with older versions

Tobias Brunner tobias at strongswan.org
Wed Aug 13 18:13:01 BST 2025 

Dear Maintainers,

>> One of our servers got its strongswan-charon package upgraded from 
>> 6.0.1-5 to 6.0.1-6 last night. It has ipsec connections to another 
>> trixie machine that's still using 6.0.1-5 and to a bookworm machine 
>> that's using 5.9.8-5+deb12u1
>>
>> No changes to the configuration happened for a while. Since the upgrade 
>> happened, the host with 6.0.1-6 can't establish connection to the other 
>> two hosts anymore. If I start the connection manually I can see the 
>> followup output (peer IP replaced by 1.2.3.4; local IP replaced by 1.2.1.2):
>>
>> ipsec up connection-name
>> initiating IKE_SA connection-name[6] to 1.2.3.4
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> sending packet: from 1.2.1.2[500] to 1.2.3.4[500] (972 bytes)
>> received packet: from 1.2.3.4[500] to 1.2.1.2[500] (280 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>> selected proposal: 
>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
>> KDF_PRF with PRF_HMAC_SHA2_256 not supported
>> key derivation failed
>> establishing connection 'connection-name' failed
>>
>>
>> Is this an expected compatibility break or is that an unexpected regression?
> 
> If you have OpenSSL 3.5.1 installed, then this is unfortunately
> expected.  It requires the patches at [1] and [2], which were released
> with 6.0.2.
>
> Regards,
> Tobias
> 
> [1]
> https://github.com/strongswan/strongswan/commit/2dbeecfc029ba26647c756b0882bc6e85e2e6b64
> [2]
> https://github.com/strongswan/strongswan/commit/43b805b2daed48bdf835ca8eeb87b9b71a42781f

It might be a good idea to apply these two patches to 6.0.1 in trixie,
in order to avoid that everybody has to install
libstrongswan-extra-plugins just for the kdf plugin.

Also, the problem could technically also occur on bookworm as the
OpenSSL guys have backported their "fix" to 3.0.17 for some reason.  The
difference there is that the kdf plugin is installed by default via
libstrongswan package, while the openssl plugin is shipped separately in
libstrongswan-standard-plugins.  So it will only be a problem if the kdf
plugin is explicitly disabled in the config.

Regards,
Tobias

More information about the Pkg-swan-devel mailing list