[strongSwan] IKEv2 PFS status

Alexis Salinas alexis.salinas at inmotiontechnology.com
Fri Mar 18 00:45:22 CET 2011 

Hi All,
I'm wondering if someone knows how to check if PFS is enabled, and the DH group being used by a given CHILD_SA. 
>From an older post (https://lists.strongswan.org/pipermail/users/2008-October/002822.html) I got this "The modp option in the esp definition is ignored when setting up the first CHILD_SA as part of the IKE_AUTH exchange. Separate DH factors are is used by  CREATE_CHILD_SA  exchanges establishing additional CHILD_SAs or during IPSec SA rekeying. With this behaviour "Perfect Forward Secrecy is achieved"."

So I configured a couple of gateways like shown below, but when I check 'ipsec statusall' I don't see any reference to PFS on the second CHILD_SA.
I'm I doing something wrong?
Thanks in advance.

config setup
        cachecrls=no
        charonstart=yes
        crlcheckinterval=0
        plutostart=yes
        strictcrlpolicy=no
        nat_traversal=yes
        plutodebug=none
        charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, enc 0, lib 0"


#gw1-to-gw2
conn gw1-to-gw2
        left=192.168.3.31
        leftid=@H020109D0001
        leftsubnet=172.22.0.0/24
        leftnexthop=192.168.2.128
        leftfirewall=yes
        right=192.168.3.110
        rightsubnet=10.0.0.0/24
        ike=aes128-md5-modp1536!
        esp=aes128-md5-modp1024!
        keyexchange=ikev2
        mobike=yes
        ikelifetime=60m
        keylife=20m
        compress=no
        authby=secret
        dpdaction=restart
        dpddelay=10
        dpdtimeout=30
        auto=add
        keyingtries=1
        rekeymargin=3m
        forceencaps=yes
        reauth=yes

#gw1-to-gw2-child2
conn gw1-to-gw2-child2
        left=192.168.3.31
        leftid=@H020109D0001
        leftsubnet=172.22.1.0/24
        leftnexthop=192.168.2.128
        leftfirewall=yes
        right=192.168.3.110
        rightsubnet=10.1.0.0/24
        ike=aes128-md5-modp1536!
        esp=aes128-md5-modp1024!
        keyexchange=ikev2
        mobike=yes
        ikelifetime=60m
        keylife=20m
        compress=no
        authby=secret
        dpdaction=restart
        dpddelay=10
        dpdtimeout=30
        auto=add
        keyingtries=1
        rekeymargin=3m
        forceencaps=yes
        reauth=yes


Security Associations:
gw1-to-gw2[1]: ESTABLISHED 50 seconds ago, 192.168.3.31[H020109D0001]...192.168.3.110[192.168.3.110]
gw1-to-gw2[1]: IKE SPIs: e60a4f49fa294bcd_i* f6d5a905dfa97711_r, pre-shared key reauthentication in 55 minutes
gw1-to-gw2[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
gw1-to-gw2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c911f5f8_i cf631c91_o
gw1-to-gw2{1}:  AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
gw1-to-gw2{1}:   172.22.0.0/24 === 10.0.0.0/24
gw1-to-gw2-child2{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c3013ecc_i c2eb28c9_o
gw1-to-gw2-child2{2}:  AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes
gw1-to-gw2-child2{2}:   172.22.1.0/24 === 10.1.0.0/24

More information about the Users mailing list