[strongSwan] Strong swan IKE issue.
Tobias Brunner
tobias at strongswan.org
Wed Mar 21 09:42:39 CET 2018
Hi Andrii,
> Remote side is asking disable PFS Group 5:
>
> PFS Group 5 is not configured on our end and is not enabled by default.____
> If this is currently required on the Andrii end then we will open a
> change to have this added.____
>
> Can it cause this problem?
Sounds strange, as you don't have the group included in the ESP proposal.
> How can I disable PFS on my side?
>
> we have no DH group defined for esp, so pfs is disabled.
Yes, exactly.
> I set pfs=no, and have this in my log:
>
> ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...
> # deprecated keyword 'pfs' in conn 'remote-asa'
> ipsec_starter[1]: # deprecated keyword 'pfs' in conn 'remote-asa'
> PFS is enabled by specifying a DH group in the 'esp' cipher suite
> ipsec_starter[1]: PFS is enabled by specifying a DH group in the 'esp'
> cipher suite
As documented, the option is not supported anymore since 5.0.0 as
configuration of PFS now happens via ESP/AH proposal.
> I have no DH group specified for ESP on my side:
>
> esp=aes256-sha1!
Yep, so you might want to ask them to check the logs again, in
particular for errors during Phase 2/Quick Mode.
Regards,
Tobias
More information about the Users
mailing list