KNX Secure Connection

toerb · June 21, 2022, 1:24pm

I have uploaded the relevant log part and a pcap with the discovery messages to my server.
You can retrieve the files here:

The HA device (raspberry pi 3) is on the same layer 2 network as the IP interface.
I have used the guide for installing the Home Assistant Operating System for the raspberry pi.

Thanks for your interest and time!

farmio · June 21, 2022, 1:57pm

Alright, thank you very much!
I have found a bug in our logic thanks to your logs . It handles the response wrongly when the order of description information in the frame is not as expected.
I’ll try to put up a fix tonight or so. This will be resolved in the next version of xknx (and HA).

toerb · June 21, 2022, 2:03pm

That is a great message!

I am glad you were able to find the problem and I will look forward to the next release!

farmio · June 22, 2022, 10:21am

In case you are interested:

github.com/XKNX/xknx

GatewayDescriptor parsing independent of DIB order

XKNX:main ← XKNX:dib-order

opened 06:43AM - 22 Jun 22 UTC

farmio

+157 -5

## Description  Fix GatewayDescriptor parsing when SearchResponseExtended DIBs are in unexpected order When `DIBSecuredServiceFamilies` was parsed after `DIBSuppSVCFamilies` it overwrote its previously parsed fields because the `isinstance()` check matched as one derived from the other. Fixes # (issue) ## Type of change  - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update ## Checklist: - [ ] The documentation has been adjusted accordingly - [x] Tests have been added that prove the fix is effective or that the feature works - [x] The changes are documented in the changelog (docs/changelog.md)

kirimeister · August 15, 2022, 12:55pm

I’m planning to switch to KNX secure using the Weinzierl IP Interface 731. Has anyone have an experience with secure using that device? Other than that, from what I figured, KNX secure is used during comissioning through ETS but also during use over TP as well as IPNet. Those devices that cannot speak secure will use normal KNX. Is that right?

farmio · August 15, 2022, 1:30pm

Hi !
The 731 can’t speak IP Secure. You’d need a 732.
That said there are 2 types of secure communication in Knx

IP Secure: only IP traffic (eg. from HA to the interface) is secured. TP traffic not affected.
Data Secure: only the payloads are secured, parts of the Telegrams stay unencrypted.

These can be used together.
HA supports only the former.

kirimeister · August 15, 2022, 1:54pm

Thanks for the quick answer! I meant the 732 indeed. If the ETS goes over IP then it also uses the IP Secure during comissioning, right?

farmio · August 15, 2022, 2:03pm

Yes sure. If it is configured to use IP Secure no non-Secure connection is possible. ETS has no exception.

zacolly · September 14, 2022, 2:36am

Hi,
I have been trying to get HA to connect using IP secure but authentication is failing.
Did you have to create the knx directory to put the .knxkeys file into?

I then tried to load a TCP only tunnel connection and all my entities lost their custom icons etc.
Will this be the case when I get the IP secure working?

I’ve restored to a backup for now but thought I would check before going too much further.

farmio · September 14, 2022, 4:57am

Hi !

Do you have any logs of that? Did you follow the documentation about getting the right keys? What interface is it?

Yes, you’ll have to create that directory.
Or use manual user/password/auth-key configuration. (do this if you use an interface from MDT)

I don’t know why this happened and if it could happen again.

Skogsholm · December 2, 2022, 11:08pm

Are you saying it’s impossible to connect to 731 after the KNX integration started using IP Secure?

farmio · December 2, 2022, 11:11pm

No. IP-Secure is an optional feature of the KNX integration.