[strongSwan] IKEv2 PFS disabled
Alexis Salinas
alexis.salinas at inmotiontechnology.com
Sat Dec 11 01:36:21 CET 2010
Hi all,
I'm trying to connect a Linux gateway to a Fortigate 50B Firewall (Fortinet Inc.). The problem is that despite configuring the gateway with PFS enabled for the CHILD_SA the Fortigate box claims that PFS is disabled and of course doesn't complete the negotiation. If I disabled phase 2 PFS in the Fortigate everything works. I'm missing something? Any help will be appreciated.
Cheer,
Alexis
Here is the configuration of mi Linux gateway
config setup
cachecrls=no
charonstart=yes
crlcheckinterval=0
plutostart=no
strictcrlpolicy=no
nat_traversal=yes
plutodebug=none
charondebug="dmn 0, mgr 0, ike 2, chd 0, job 0, cfg 3, knl 2, net 2, enc 0, lib 0"
conn to-fortinet
left=%defaultroute
leftid=@gateway
leftsubnet=172.22.0.0/24
leftfirewall=yes
right=X.X.4.95
rightsubnet=10.0.0.0/24
ike=aes128-md5-modp1536!
esp=aes128-md5-modp1536!
keyexchange=ikev2
mobike=no
ikelifetime=60m
keylife=20m
compress=no
pfs=yes
authby=secret
dpdaction=restart
dpddelay=10
dpdtimeout=30
auto=add
keyingtries=1
rekeymargin=3m
forceencaps=no
reauth=yes
And here is the log from the Fortigate box:
ike 0: comes 174.90.250.213:500->X.X.4.95:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=3ccd235c66a55818/0000000000000000 len=368
ike 0:omg-p1: new connection.
ike 0:omg-p1:64: responder received SA_INIT msg
ike 0:omg-p1:64: received notify type NAT_DETECTION_SOURCE_IP
ike 0:omg-p1:64: processing NAT-D payload
ike 0:omg-p1:64: NAT not detected
ike 0:omg-p1:64: process NAT-D
ike 0:omg-p1:64: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:omg-p1:64: processing NAT-D payload
ike 0:omg-p1:64: NAT not detected
ike 0:omg-p1:64: process NAT-D
ike 0:omg-p1:64: incoming proposal:
ike 0:omg-p1:64: proposal id = 1:
ike 0:omg-p1:64: protocol = IKEv2:
ike 0:omg-p1:64: encapsulation = IKEv2/none
ike 0:omg-p1:64: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:omg-p1:64: type=INTEGR, val=AUTH_HMAC_MD5_96
ike 0:omg-p1:64: type=PRF, val=PRF_HMAC_MD5
ike 0:omg-p1:64: type=DH_GROUP, val=1536.
ike 0:omg-p1:64: matched proposal id 1
ike 0:omg-p1:64: responder preparing SA_INIT msg
ike 0:omg-p1:64: send SA_INIT_RESPONSE
ike 0:omg-p1:64: sent IKE msg (SA_INIT_RESPONSE): X.X.4.95:500->174.90.250.213:500, len=352
ike 0: comes 174.90.250.213:500->X.X.4.95:500,ifindex=5....
ike 0: IKEv2 exchange=AUTH id=3ccd235c66a55818/20ed0399f3ab87e2:00000001 len=220
ike 0: found omg-p1 X.X.4.95 5 -> 174.90.250.213:500
ike 0:omg-p1:64: responder received AUTH msg
ike 0:omg-p1:64: auth verify done
ike 0:omg-p1:64: responder AUTH continuation
ike 0:omg-p1:64: authentication succeeded
ike 0:omg-p1:64: responder creating new child
ike 0:omg-p1:64:962: peer proposal is: peer:172.22.0.0-172.22.0.255, me:10.0.0.0-10.0.0.255, ports=0/0, protocol=0/0
ike 0:omg-p1:64:962: trying omg-p2
ike 0:omg-p1:64:omg-p2:962: matched phase2
ike 0:omg-p1:64:omg-p2:962: dialup
ike 0:omg-p1:64:omg-p2:962: incoming proposal:
ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
ike 0:omg-p1:64:omg-p2:962: protocol = ESP:
ike 0:omg-p1:64:omg-p2:962: encapsulation = TUNNEL
ike 0:omg-p1:64:omg-p2:962: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:omg-p1:64:omg-p2:962: type=INTEGR, val=MD5
ike 0:omg-p1:64:omg-p2:962: PFS is disabled
ike 0:omg-p1:64:omg-p2:962: my proposal:
ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
ike 0:omg-p1:64:omg-p2:962: protocol = ESP:
ike 0:omg-p1:64:omg-p2:962: encapsulation = TUNNEL
ike 0:omg-p1:64:omg-p2:962: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:omg-p1:64:omg-p2:962: type=INTEGR, val=MD5
ike 0:omg-p1:64:omg-p2:962: type=DH_GROUP, val=1536
ike 0:omg-p1:64:omg-p2:962: lifetime=1800
ike 0:omg-p1:64:omg-p2:962: no proposal chosen
ike Negotiate SA Error: ike ike [832]
ike 0:omg-p1:64: create_child_responder failed
ike 0:omg-p1:64: expiring IKE SA 3ccd235c66a55818/20ed0399f3ab87e2
ike 0:omg-p1: deleting
ike 0:omg-p1: flushing
ike 0:omg-p1: sending SNMP tunnel DOWN trap
ike 0:omg-p1: flushed
ike 0:omg-p1: deleted
Cheers,
Alexis
More information about the Users
mailing list