[strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Noel Kuntze noel at familie-kuntze.de
Mon Dec 9 18:51:49 CET 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Sergio,

I don't think PFS is the issue then, as you would get a NO_PROP_CHOSEN error when connecting, if it was.
Did you make sure that ip_forwarding is enabled and the packets are altered/dropped/rejected by iptables, if needed?
StrongSwan doesn't to that for you.
Refer to [1] for the needed settings and a how-to.

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Regards
Noel Kuntze
On 09.12.2013 18:09, Sergio Samayoa wrote:R
> Hi Noel.
>
> Thanks but I already tried that way but same result.
>
> I tried:
>
> esp=3des-sha1
> esp=3des-sha1!
> esp=3des-sha1-null
> esp=3des-sha1-null!
>
> But PFS seems still enabled.
>
> Regards.
>
>
>
>
>
> 2013/12/9 Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>
>
>     Hello Sergio,
>
>     You do this by using "esp=3des-sha1!".
>     Note the "!" At the end, telling strongswan to only send this proposal when negotiating phase 2.
>     Also remove the "pfs" line, as it's deprecated.
>
>     Regards
>     Noel Kuntze
>
>
>
>     Sergio Samayoa <sergiosamayoa at icon.com.gt <mailto:sergiosamayoa at icon.com.gt>> schrieb:
>
>         Hi.
>
>         We need to connect to Checkpoint FW with the following configuration:
>
>         Phase 1
>         Authentication Methodpre-shared key
>         pre-shared key*********
>         Encryption SchemeIKE
>         Diffie-Hellman GroupGroup 2
>         Encryption Algorithm3DES
>         Hashing AlgorithmSha-1
>         Main or Aggressive ModeMain mode
>         Lifetime (for renegotiation)86400s
>
>         Phase 2
>         Encapsulation (ESP or AH)ESP
>         Encryption Algorithm3DES
>         Authentication AlgorithmSha-1
>         Perfect Forward SecrecyNO PFS 
>         Lifetime (for renegotiation)3600s
>
>         Our configuration file is:
>
>         conn TMCO
>                 ikelifetime=86400s
>                 keylife=3600s
>                 keyexchange=ikev1
>                 authby=secret
>                 ike=3des-sha1-modp1024
>                 esp=3des-sha1
>                 left=x.x.x.x
>                 leftsubnet=192.168.15.0/24 <http://192.168.15.0/24>
>                 leftfirewall=yes
>                 leftsourceip=x.x.x.x
>                 right=y.y.y.y
>                 pfs=no
>
>         Whe I start strongswan I get this message in the console:
>
>         # deprecated keyword 'pfs' in conn 'TMCO'
>           PFS is enabled by specifying a DH group in the 'esp' cipher suite
>
>         Phase 1 is completed and I can see the security associations but I can't reach any host in the right part becase Strongswan is using PFS.
>
>         AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan insists in enabling PFS.
>
>         How can I disable PFS?
>
>         --
>         Sergio Samayoa
>         Systems Architect
>         email: sergiosamayoa at icon.com.gt <mailto:sergiosamayoa at icon.com.gt>
>         Móvil: (502) 5917 7888
>         Skype: sergio.e.samayoa
>
>         A description...
>
>         http://www.icon-americas.com
>
>         -------------------------
>
>         Users mailing list
>         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>
>         https://lists.strongswan.org/mailman/listinfo/users
>
>
>     --
>     Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
>
>
>
>
> --
> Sergio Samayoa
> Systems Architect
> email: sergiosamayoa at icon.com.gt <mailto:sergiosamayoa at icon.com.gt>
> Móvil: (502) 5917 7888
> Skype: sergio.e.samayoa
>
> A description...
>
> http://www.icon-americas.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSpgM1AAoJEDg5KY9j7GZY2kwP/2K9Fwwv0UzOihuEACM8ZhYD
m4axUthqJ4feh7T+KbWqCcu7fAAPrfinRTiBuL7cdNIJFggAiKKsaT4t1ECeMT4B
hy7gCeYzuc/pGw36HtPaxgcQwbNuDoi3jWPyyDRz/JsqU6WuLxEF+CscX+MJdJex
yige5RZqejAny0CrYF0JcWCN9WWmIYXoDtPcgT8zxVEH8458DmARiN9Zhq2g2orW
6t8lnBKTTWwx8apV2yX7EI4htle404yTyQ5PDj1GQ1HSEgOO9JbeRAQh7hT4viNP
sL3PmCPRLXY73vCaZQetAwTfd1c8K0c2LzjLJVdhTQGzwcekgq2qqJrCwnWc/iFt
meYNvFd2dW46PYxpND7coZFVc0cZWFH1Uqus4Iuboy3zZ2enxVwr8UCQTG7xSl9c
unG7e6CllNAFqdHU7LKlw4s1Sbh5iwBaiOsv6BddxrgrvzsKXMSVPyYjTwuXk/pi
XxeAXaOOpkxRru1jfI/EoH5ChcbMFOVEPShTrSPGLzb+IBd2DA9Ygbz4ot6VKyAr
9qjVbi9SJy5zDHyze4SPZtWuRiW982X1IP55IQU9QcuhQv2e8rsQWh2wwD99cjG7
peMEVIjdcPaBHLCYKLAkNKqKLCiyTG1NMGu2mAUx/sFFRf2I0RaKYsSEMtNTeiYw
VuUwtkl64IYOOSi1zgKF
=BbZI
-----END PGP SIGNATURE-----

More information about the Users mailing list