[strongSwan] IKEv2 PFS status
Andreas Steffen
andreas.steffen at strongswan.org
Fri Mar 18 10:30:03 CET 2011
Hello Alexis,
ipsec statusall does not show the configuration of PFS. But with
charondebug="cfg 2"
you can verify the PFS negotiation in the charon log.
Best regards
Andreas
On 03/18/2011 12:45 AM, Alexis Salinas wrote:
> Hi All,
> I'm wondering if someone knows how to check if PFS is enabled, and the DH group being used by a given CHILD_SA.
>> From an older post (https://lists.strongswan.org/pipermail/users/2008-October/002822.html) I got this "The modp option in the esp definition is ignored when setting up the first CHILD_SA as part of the IKE_AUTH exchange. Separate DH factors are is used by CREATE_CHILD_SA exchanges establishing additional CHILD_SAs or during IPSec SA rekeying. With this behaviour "Perfect Forward Secrecy is achieved"."
>
> So I configured a couple of gateways like shown below, but when I check 'ipsec statusall' I don't see any reference to PFS on the second CHILD_SA.
> I'm I doing something wrong?
> Thanks in advance.
>
> config setup
> cachecrls=no
> charonstart=yes
> crlcheckinterval=0
> plutostart=yes
> strictcrlpolicy=no
> nat_traversal=yes
> plutodebug=none
> charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, enc 0, lib 0"
>
>
> #gw1-to-gw2
> conn gw1-to-gw2
> left=192.168.3.31
> leftid=@H020109D0001
> leftsubnet=172.22.0.0/24
> leftnexthop=192.168.2.128
> leftfirewall=yes
> right=192.168.3.110
> rightsubnet=10.0.0.0/24
> ike=aes128-md5-modp1536!
> esp=aes128-md5-modp1024!
> keyexchange=ikev2
> mobike=yes
> ikelifetime=60m
> keylife=20m
> compress=no
> authby=secret
> dpdaction=restart
> dpddelay=10
> dpdtimeout=30
> auto=add
> keyingtries=1
> rekeymargin=3m
> forceencaps=yes
> reauth=yes
>
> #gw1-to-gw2-child2
> conn gw1-to-gw2-child2
> left=192.168.3.31
> leftid=@H020109D0001
> leftsubnet=172.22.1.0/24
> leftnexthop=192.168.2.128
> leftfirewall=yes
> right=192.168.3.110
> rightsubnet=10.1.0.0/24
> ike=aes128-md5-modp1536!
> esp=aes128-md5-modp1024!
> keyexchange=ikev2
> mobike=yes
> ikelifetime=60m
> keylife=20m
> compress=no
> authby=secret
> dpdaction=restart
> dpddelay=10
> dpdtimeout=30
> auto=add
> keyingtries=1
> rekeymargin=3m
> forceencaps=yes
> reauth=yes
>
>
> Security Associations:
> gw1-to-gw2[1]: ESTABLISHED 50 seconds ago, 192.168.3.31[H020109D0001]...192.168.3.110[192.168.3.110]
> gw1-to-gw2[1]: IKE SPIs: e60a4f49fa294bcd_i* f6d5a905dfa97711_r, pre-shared key reauthentication in 55 minutes
> gw1-to-gw2[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> gw1-to-gw2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c911f5f8_i cf631c91_o
> gw1-to-gw2{1}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
> gw1-to-gw2{1}: 172.22.0.0/24 === 10.0.0.0/24
> gw1-to-gw2-child2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c3013ecc_i c2eb28c9_o
> gw1-to-gw2-child2{2}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes
> gw1-to-gw2-child2{2}: 172.22.1.0/24 === 10.1.0.0/24
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pfs.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110318/7a92d46a/attachment.txt>
More information about the Users
mailing list