[strongSwan] Strong swan IKE issue.

Tobias Brunner tobias at strongswan.org
Wed Mar 21 09:42:39 CET 2018

Hi Andrii,

> Remote side is asking  disable PFS Group 5:
> PFS Group 5 is not configured on our end and is not enabled by default.____
> If this is currently required on the Andrii end then we will open a
> change to have this added.____
> Can it cause this problem?

Sounds strange, as you don't have the group included in the ESP proposal.

> How can I disable PFS on my side? 
> we have no DH group defined for esp, so pfs is disabled.

Yes, exactly.

> I set pfs=no, and have this in my log:
> ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...
> # deprecated keyword 'pfs' in conn 'remote-asa'
> ipsec_starter[1]: # deprecated keyword 'pfs' in conn 'remote-asa'
>   PFS is enabled by specifying a DH group in the 'esp' cipher suite
> ipsec_starter[1]:   PFS is enabled by specifying a DH group in the 'esp'
> cipher suite

As documented, the option is not supported anymore since 5.0.0 as
configuration of PFS now happens via ESP/AH proposal.

> I have no DH group specified for ESP on my side:
>     esp=aes256-sha1!

Yep, so you might want to ask them to check the logs again, in
particular for errors during Phase 2/Quick Mode.


More information about the Users mailing list