[strongSwan] strict Flags and PFS
Eduardo Torres
Eduardo.Torres at alcatel-lucent.com
Mon Aug 2 23:16:42 CEST 2010
All,
I was doing some testing with 2 linux boxes (both with StrongSwan IKEv2)
and I was doing the following experiments:
- Scenario 1: one linux box the PFS was on and in the other PFS was off.
- Scenario 2: both linux boxes PFS was on but different modp group
- Scenario 1 and 2: both linux boxes using strict flag in esp and ike
==============================
Scenario 1
Linux 1 (inititator)
pfs=yes
esp=null-sha1-modp1024!
ike=aes128-sha-modp1024!
Linux 2 (responder)
pfs=no
esp=null-sha1!
ike=aes128-sha-modp1024!
===============================
Scenario 2
Linux 1 (inititator)
pfs=yes
esp=null-sha1-modp1024!
ike=aes128-sha-modp1024!
Linux 2 (responder)
pfs=no
esp=null-sha1-modp8192!
ike=aes128-sha-modp1024!
================================
For both scenarios the CHILD SA is created (with no PFS).
It looks that for CHILD SA the strict flag is only for encryption and
authentication.
My question is this work as design? Also why is different for IKE SA and
for CHILD SA.
For IKE SA if the DH group are not the same the IKE is not created but
for the CHILD SA the CHILD SA is created with no PFS
Any help is appreciated.
Thanks in advance
Eduardo
More information about the Users
mailing list