[strongSwan] Strong swan IKE issue.
tobias at strongswan.org
Wed Mar 21 09:42:39 CET 2018
> Remote side is asking disable PFS Group 5:
> PFS Group 5 is not configured on our end and is not enabled by default.____
> If this is currently required on the Andrii end then we will open a
> change to have this added.____
> Can it cause this problem?
Sounds strange, as you don't have the group included in the ESP proposal.
> How can I disable PFS on my side?
> we have no DH group defined for esp, so pfs is disabled.
> I set pfs=no, and have this in my log:
> ipsec_starter: Starting strongSwan 5.6.2 IPsec [starter]...
> # deprecated keyword 'pfs' in conn 'remote-asa'
> ipsec_starter: # deprecated keyword 'pfs' in conn 'remote-asa'
> PFS is enabled by specifying a DH group in the 'esp' cipher suite
> ipsec_starter: PFS is enabled by specifying a DH group in the 'esp'
> cipher suite
As documented, the option is not supported anymore since 5.0.0 as
configuration of PFS now happens via ESP/AH proposal.
> I have no DH group specified for ESP on my side:
Yep, so you might want to ask them to check the logs again, in
particular for errors during Phase 2/Quick Mode.
More information about the Users