[strongSwan] IPSec Configuration - IKEv1 with PFS

[Noel Kuntze]

Hi,

conn %default is not a real conn. You need to define at least one. Just move all that stuff into some conn with an arbitrary name. E.g. "conn foo".
All other things: Check the UsableExamples[1] article on the wiki.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

On 25.01.2018 01:26, Newton, Benjamin David wrote:
>
> I am trying to set up a site-to-site VPN using StrongSwan.  The requirements for the VPN are:
>
>
> − Encapsulation Security Payload (ESP)
> − Encryption: AES-256
> − Authentication: SHA-1
> − IPSec / IKE Authentication: Pre-shared secret and digital certificate
> − IKE: Version 1
> − IKE phase 1: Diffie-Hellman group 5
> − Perfect Forward Secrecy (PFS): Diffie-Hellman group 1
> − Pre-shared secret key
>
>
> I have the following as a start in my ipsec.conf file
>
>
> conn %default
>      ikelifetime=60m
>      keylife=20m
>      rekeymargin=3m
>      keyingtries=1
>      keyexchange=ikev1
>      ike=aes256-sha1-modp1536
>      esp=aes256-sha1-modp1536
>      authby=secret
>
>
>
> However, I don't know how to specify the Perfect Forward Secrecy (PFS) as DH group 1.   
>
>
> I'm also uncertain if the other entries are correct for the requirements above.   (Do I need to specify the digital certificate?) (Do I need both an ike and esp line?)
>
>
> Any suggestions, or help would be greatly appreciated. 
>
>
> Thanks,
>
>   Ben Newton
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180126/1e6d49dd/attachment.sig>