[strongSwan] Strong swan IKE issue.
aplsms at gmail.com
Tue Mar 20 19:49:21 CET 2018
Remote side is asking disable PFS Group 5:
PFS Group 5 is not configured on our end and is not enabled by default.
If this is currently required on the Andrii end then we will open a change to have this added.
Can it cause this problem?
How can I disable PFS on my side?
we have no DH group defined for esp, so pfs is disabled. What i have in doc:
pfs = yes | no
whether Perfect Forward Secrecy of keys is desired on the connection's keying channel (with PFS,
penetration of the key-exchange protocol does not compromise keys negotiated earlier). IKEv2 always uses
PFS for IKE_SA rekeying whereas for CHILD_SA rekeying PFS is enforced by defining a Diffie-Hellman dhgroup
in the esp parameter. Since 5.0.0 <https://wiki.strongswan.org/projects/strongswan/wiki/500> the latter also applies to IKEv1 and this parameter has no effect anymore.
I set pfs=no, and have this in my log:
ipsec_starter: Starting strongSwan 5.6.2 IPsec [starter]...
# deprecated keyword 'pfs' in conn 'remote-asa'
ipsec_starter: # deprecated keyword 'pfs' in conn 'remote-asa'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
ipsec_starter: PFS is enabled by specifying a DH group in the 'esp' cipher suite
I have no DH group specified for ESP on my side:
aplsms at gmail.com <mailto:aplsms at gmail.com>
> On Mar 20, 2018, at 8:07 AM, Andrii Petrenko <aplsms at gmail.com> wrote:
> Hello Tobias,
> Thank you for details.
> I’ve already tased with
> No luck. Requested logs and configs from ASA by
> debug crypto ikev1 127
> debug crypto ipsec 127
> show crypto ipsec sa
> Thank you,
> Andrii Petrenko
> aplsms at gmail.com <mailto:aplsms at gmail.com>
>> On Mar 20, 2018, at 12:45 AM, Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>> wrote:
>> Hi Andrii,
>> ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
>> your problem is during Phase 2 (Quick Mode, IPsec SA).
>>> Remote side is not supporting pfs.
>>> IKE Phase One Parameters:
>>> Encryption Algorithm: AES 256
>>> Hash Algorithm: SHA
>>> Authentication Method: Pre-shared key
>>> Key Exchange: Diffie Hellman Group 5
>>> IKE SA Lifetime: 86400 (Cisco default)
>>> IKE Phase Two Parameters (IPSEC):
>>> Authentication: ESP with SHA-HMAC
>>> Encryption Algorithm: ESP-AES 256
>>> SA Establishment: ipsec-isakmp (IKE negotiated)
>>> IPSEC Mode Tunnel (Cisco default)
>>> IPSEC SA Lifetime (time) 3600 seconds
>>> IPSEC SA Lifetime (volume) 4608000 kilobytes
>>> PFS (Perfect Forward Secrecy) No
>>> Optional encryption if requirements differ from above:
>>> esp-3des esp-md5-hmac
>>> esp-aes 256 esp-sha-hmac
>>> esp-aes 128 esp-sha-hmac
>>> This information I have from remote side.
>> Looks like esp=aes256-sha1! should be correct then. You could also try
>> esp=aes128-sha1! or esp=3des-md5! (not recommended though). And if this
>> doesn't work, ask the remote admins for the correct settings (they
>> should see in the log why the proposal was rejected).
>>> Is it possible to se what offer remote side?
>> No (unless you do what ike-scan does i.e. try a number of possible
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users