[strongSwan] IKEv2 PFS disabled

Martin Willi martin at strongswan.org
Mon Dec 13 09:51:55 CET 2010


Hi Alexis,

>         esp=aes128-md5-modp1536!
>         pfs=yes

The pfs keyword is not used for IKEv2 connections. If the esp proposal
contains a DH group, a DH exchange is done for CREATE_CHILD_SA
exchanges.

> ike 0:omg-p1:64:omg-p2:962: incoming proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962:   protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962:      encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962:         type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962:         type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962:         PFS is disabled
> ike 0:omg-p1:64:omg-p2:962: my proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962:   protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962:      encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962:         type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962:         type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962:         type=DH_GROUP, val=1536
> ike 0:omg-p1:64:omg-p2:962: lifetime=1800
> ike 0:omg-p1:64:omg-p2:962: no proposal chosen

Fortigate expects a DH group in the piggy-packed CHILD_SA creation in
IKE_AUTH. This seems wrong to me. As we have done a DH exchange in
IKE_SA_INIT, it does not make much sense to repeat one in IKE_AUTH.

End of section 1.2 RFC5996 says:

> Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads.
> Thus, the SA payloads in the IKE_AUTH exchange cannot contain
> Transform Type 4 (Diffie-Hellman group) with any value other than
> NONE.  Implementations SHOULD omit the whole transform substructure
> instead of sending value NONE.

You probably should report this bug to Fortigate and/or try it without
PFS enabled.

Regards
Martin





More information about the Users mailing list