[strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Thomas Egerer hakke_007 at gmx.de
Mon Dec 9 18:49:57 CET 2013 

On 12/09/2013 06:09 PM, Sergio Samayoa wrote:
> Hi Noel.
> 
> Thanks but I already tried that way but same result.
> 
> I tried:
> 
> esp=3des-sha1
> esp=3des-sha1!
> esp=3des-sha1-null
> esp=3des-sha1-null!
> 
> But PFS seems still enabled.
> 
> Regards.
> 
> 
> 
> 
> 
> 2013/12/9 Noel Kuntze <noel at familie-kuntze.de>
> 
>> Hello Sergio,
>>
>> You do this by using "esp=3des-sha1!".
>> Note the "!" At the end, telling strongswan to only send this proposal
>> when negotiating phase 2.
>> Also remove the "pfs" line, as it's deprecated.
>>
>> Regards
>> Noel Kuntze
>>
>>
>>
>> Sergio Samayoa <sergiosamayoa at icon.com.gt> schrieb:
>>>
>>> Hi.
>>>
>>> We need to connect to Checkpoint FW with the following configuration:
>>>
>>> Phase 1
>>> Authentication Method pre-shared key
>>> pre-shared key *********
>>> Encryption Scheme IKE
>>> Diffie-Hellman Group Group 2
>>> Encryption Algorithm 3DES
>>> Hashing Algorithm Sha-1
>>> Main or Aggressive Mode Main mode
>>> Lifetime (for renegotiation) 86400s
>>>
>>> Phase 2
>>> Encapsulation (ESP or AH) ESP
>>> Encryption Algorithm 3DES
>>> Authentication Algorithm Sha-1
>>> Perfect Forward Secrecy NO PFS
>>> Lifetime (for renegotiation) 3600s
>>>
>>> Our configuration file is:
>>>
>>> conn TMCO
>>>         ikelifetime=86400s
>>>         keylife=3600s
>>>         keyexchange=ikev1
>>>         authby=secret
>>>         ike=3des-sha1-modp1024
>>>         esp=3des-sha1
>>>         left=x.x.x.x
>>>         leftsubnet=192.168.15.0/24
>>>         leftfirewall=yes
>>>         leftsourceip=x.x.x.x
>>>         right=y.y.y.y
>>>         pfs=no
>>>
>>> Whe I start strongswan I get this message in the console:
>>>
>>> # deprecated keyword 'pfs' in conn 'TMCO'
>>>   PFS is enabled by specifying a DH group in the 'esp' cipher suite
>>>
>>> Phase 1 is completed and I can see the security associations but I can't
>>> reach any host in the right part becase Strongswan is using PFS.
>>>
>>> AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan
>>> insists in enabling PFS.
>>>
>>> How can I disable PFS?
Hi Sergio,

can you run
> stroke loglevel cfg 2

Then try to initiate the connection and look for charon's log output
<snip>
received proposals: [...]
configured proposals: [...]
selected proposals: [...] // <- this line is most likely missing
<snap>
Be sure to select the proposal selection for the child configuration
you're interested in.

Cheers,
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131209/6826354a/attachment.pgp>

More information about the Users mailing list