[strongSwan] IKEv2 PFS disabled

Alexis Salinas alexis.salinas at inmotiontechnology.com
Mon Dec 13 19:04:10 CET 2010 

Thank you both very much for your quick answer, I'll certainly report this to Fortinet as I already have a ticket open with them. And if you think it could be of any help, I can report back when they fix the bug. Just to confirm, by disabling PFS on the Fortigate, everything works.

Thank you,
Alexis



-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: December-13-10 12:52 AM
To: Alexis Salinas
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PFS disabled

Hi Alexis,

>         esp=aes128-md5-modp1536!
>         pfs=yes

The pfs keyword is not used for IKEv2 connections. If the esp proposal
contains a DH group, a DH exchange is done for CREATE_CHILD_SA
exchanges.

> ike 0:omg-p1:64:omg-p2:962: incoming proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962:   protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962:      encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962:         type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962:         type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962:         PFS is disabled
> ike 0:omg-p1:64:omg-p2:962: my proposal:
> ike 0:omg-p1:64:omg-p2:962: proposal id = 1:
> ike 0:omg-p1:64:omg-p2:962:   protocol = ESP:
> ike 0:omg-p1:64:omg-p2:962:      encapsulation = TUNNEL
> ike 0:omg-p1:64:omg-p2:962:         type=ENCR, val=AES_CBC (key_len = 128)
> ike 0:omg-p1:64:omg-p2:962:         type=INTEGR, val=MD5
> ike 0:omg-p1:64:omg-p2:962:         type=DH_GROUP, val=1536
> ike 0:omg-p1:64:omg-p2:962: lifetime=1800
> ike 0:omg-p1:64:omg-p2:962: no proposal chosen

Fortigate expects a DH group in the piggy-packed CHILD_SA creation in
IKE_AUTH. This seems wrong to me. As we have done a DH exchange in
IKE_SA_INIT, it does not make much sense to repeat one in IKE_AUTH.

End of section 1.2 RFC5996 says:

> Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads.
> Thus, the SA payloads in the IKE_AUTH exchange cannot contain
> Transform Type 4 (Diffie-Hellman group) with any value other than
> NONE.  Implementations SHOULD omit the whole transform substructure
> instead of sending value NONE.

You probably should report this bug to Fortigate and/or try it without
PFS enabled.

Regards
Martin

More information about the Users mailing list