[strongSwan] IKEv2 PFS disabled
Martin Willi
martin at strongswan.org
Mon Dec 13 09:51:55 CET 2010
Hi Alexis,
> esp=aes128-md5-modp1536!
> pfs=yes
The pfs keyword is not used for IKEv2 connections. If the esp proposal
contains a DH group, a DH exchange is done for CREATE_CHILD_SA
exchanges.
> ike 0:omg-p1:64:omg-p2:962: incoming proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962: protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962: encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962: type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962: type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962: PFS is disabled
> ike 0:omg-p1:64:omg-p2:962: my proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962: protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962: encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962: type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962: type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962: type=DH_GROUP, val=1536
> ike 0:omg-p1:64:omg-p2:962: lifetime=1800
> ike 0:omg-p1:64:omg-p2:962: no proposal chosen
Fortigate expects a DH group in the piggy-packed CHILD_SA creation in
IKE_AUTH. This seems wrong to me. As we have done a DH exchange in
IKE_SA_INIT, it does not make much sense to repeat one in IKE_AUTH.
End of section 1.2 RFC5996 says:
> Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads.
> Thus, the SA payloads in the IKE_AUTH exchange cannot contain
> Transform Type 4 (Diffie-Hellman group) with any value other than
> NONE. Implementations SHOULD omit the whole transform substructure
> instead of sending value NONE.
You probably should report this bug to Fortigate and/or try it without
PFS enabled.
Regards
Martin
More information about the Users
mailing list