[strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Sergio Samayoa sergiosamayoa at icon.com.gt
Mon Dec 9 18:09:08 CET 2013 

Hi Noel.

Thanks but I already tried that way but same result.

I tried:

esp=3des-sha1
esp=3des-sha1!
esp=3des-sha1-null
esp=3des-sha1-null!

But PFS seems still enabled.

Regards.





2013/12/9 Noel Kuntze <noel at familie-kuntze.de>

> Hello Sergio,
>
> You do this by using "esp=3des-sha1!".
> Note the "!" At the end, telling strongswan to only send this proposal
> when negotiating phase 2.
> Also remove the "pfs" line, as it's deprecated.
>
> Regards
> Noel Kuntze
>
>
>
> Sergio Samayoa <sergiosamayoa at icon.com.gt> schrieb:
>>
>> Hi.
>>
>> We need to connect to Checkpoint FW with the following configuration:
>>
>> Phase 1
>> Authentication Method pre-shared key
>> pre-shared key *********
>> Encryption Scheme IKE
>> Diffie-Hellman Group Group 2
>> Encryption Algorithm 3DES
>> Hashing Algorithm Sha-1
>> Main or Aggressive Mode Main mode
>> Lifetime (for renegotiation) 86400s
>>
>> Phase 2
>> Encapsulation (ESP or AH) ESP
>> Encryption Algorithm 3DES
>> Authentication Algorithm Sha-1
>> Perfect Forward Secrecy NO PFS
>> Lifetime (for renegotiation) 3600s
>>
>> Our configuration file is:
>>
>> conn TMCO
>>         ikelifetime=86400s
>>         keylife=3600s
>>         keyexchange=ikev1
>>         authby=secret
>>         ike=3des-sha1-modp1024
>>         esp=3des-sha1
>>         left=x.x.x.x
>>         leftsubnet=192.168.15.0/24
>>         leftfirewall=yes
>>         leftsourceip=x.x.x.x
>>         right=y.y.y.y
>>         pfs=no
>>
>> Whe I start strongswan I get this message in the console:
>>
>> # deprecated keyword 'pfs' in conn 'TMCO'
>>   PFS is enabled by specifying a DH group in the 'esp' cipher suite
>>
>> Phase 1 is completed and I can see the security associations but I can't
>> reach any host in the right part becase Strongswan is using PFS.
>>
>> AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan
>> insists in enabling PFS.
>>
>> How can I disable PFS?
>>
>> --
>> Sergio Samayoa
>> Systems Architect
>> email: sergiosamayoa at icon.com.gt
>> Móvil: (502) 5917 7888
>> Skype: sergio.e.samayoa
>>
>> [image: A description...]
>>
>> http://www.icon-americas.com
>>
>> ------------------------------
>>
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
> gesendet.
>



-- 
Sergio Samayoa
Systems Architect
email: sergiosamayoa at icon.com.gt
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa

[image: A description...]

http://www.icon-americas.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131209/09bcd4c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7108 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131209/09bcd4c1/attachment.png>

More information about the Users mailing list