[strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Mon Dec 9 17:10:39 CET 2013

Hi.

We need to connect to Checkpoint FW with the following configuration:

Phase 1
Authentication Method pre-shared key
pre-shared key *********
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm Sha-1
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s

Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm Sha-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s

Our configuration file is:

conn TMCO
        ikelifetime=86400s
        keylife=3600s
        keyexchange=ikev1
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        left=x.x.x.x
        leftsubnet=192.168.15.0/24
        leftfirewall=yes
        leftsourceip=x.x.x.x
        right=y.y.y.y
        pfs=no

Whe I start strongswan I get this message in the console:

# deprecated keyword 'pfs' in conn 'TMCO'
  PFS is enabled by specifying a DH group in the 'esp' cipher suite

Phase 1 is completed and I can see the security associations but I can't
reach any host in the right part becase Strongswan is using PFS.

AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan insists
in enabling PFS.

How can I disable PFS?

-- 
Sergio Samayoa
Systems Architect
email: sergiosamayoa at icon.com.gt
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa

[image: A description...]

http://www.icon-americas.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131209/13e4fd6d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7108 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131209/13e4fd6d/attachment.png>