[strongSwan] strict Flags and PFS

Eduardo Torres Eduardo.Torres at alcatel-lucent.com
Mon Aug 2 23:16:42 CEST 2010


All,

I was doing some testing with 2 linux boxes (both with StrongSwan IKEv2) 
and I was doing the following experiments:
- Scenario 1: one linux box the PFS was on and in the other PFS was off.
- Scenario 2: both linux boxes PFS was on but different modp group
- Scenario 1 and 2: both linux boxes using strict flag in esp and ike
==============================
Scenario 1
Linux 1 (inititator)
pfs=yes
esp=null-sha1-modp1024!
ike=aes128-sha-modp1024!

Linux 2 (responder)
pfs=no
esp=null-sha1!
ike=aes128-sha-modp1024!
===============================
Scenario 2
Linux 1 (inititator)
pfs=yes
esp=null-sha1-modp1024!
ike=aes128-sha-modp1024!

Linux 2 (responder)
pfs=no
esp=null-sha1-modp8192!
ike=aes128-sha-modp1024!
================================
For both scenarios the CHILD SA is created (with no PFS).
It looks that for CHILD SA the strict flag is only for encryption and 
authentication.

My question is this work as design? Also why is different for IKE SA and 
for CHILD SA.
For IKE SA if the DH group are not the same the IKE is not created but 
for the CHILD SA the CHILD SA is created with no PFS

Any help is appreciated.
Thanks in advance
Eduardo






More information about the Users mailing list