[strongSwan] CHILD SA and PFS

Emeric POUPON emeric.poupon at stormshield.eu
Mon Aug 4 10:11:23 CEST 2014


Thanks for your answer!
You are right, the initial CHILD_SA is negociated during the IKE_AUTH exchange.
I do see a rekey of the CHILD_SA, and there is indeed a PFS included.

However, there is a questionable situation in the case the initiator and the responder sides do not share the same 'esp' PFS group (I set the initiator's lifetime to 3m for testing purposes)
- The first CHILD_SA is created on both sides using IKE_AUTH.
- When the rekey occurs, the responder tells the initiator that no suitable proposal has been chosen. Furthermore the responder keeps the current IKE and CHILD SAs.
- The initiator then shows a 'rekeing active' status but its SA ends up killed by the kernel.
- The initiator has to wait for the IKE SA rekey to get the CHILD SA up again.

initiator side:
#ipsec statusall
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 10 minutes ago,[gw2 at strongswan.org]...[gw1 at strongswan.org]
     net-net[1]: IKEv2 SPIs: 86e385832aae080f_i* acbcfbb47881a7be_r, public key reauthentication in 5 hours
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c4e02848_i c2c6dec8_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying active
     net-net{1}: === 

#setkey -D
No SAD entries.



----- Mail original -----
De: "Thomas Egerer" <hakke_007 at gmx.de>
À: users at lists.strongswan.org
Cc: "emeric poupon" <emeric.poupon at stormshield.eu>
Envoyé: Vendredi 1 Août 2014 22:14:02
Objet: Re: [strongSwan] CHILD SA and PFS

Hi Emeric

On 08/01/2014 04:05 PM, Emeric POUPON wrote:
> Hello,
> I have some problems enabling PFS on the CHILD SA.
> I'm using strongswan 5.2.0 on FreeBSD.
> Here are the site configurations:
looks good.
However [1], the IKE_AUTH exchange responsible for
establishing the *first* CHILD_SA does not include a key exchange
(KE), whereas [2], the CREATE_CHILD_SA exchange responsible
for creating (subsequent), or rekeying children, does include
an (optional) key exchange ([KE]).
If you wait for the configured keylife of <=60 minutes, you
should see a rekeying of the CHILD_SA take place, including
the configured PFS-group.



[1] http://tools.ietf.org/html/rfc5996#appendix-C.2
[2] http://tools.ietf.org/html/rfc5996#appendix-C.4

More information about the Users mailing list