[strongSwan] swanctl.conf - requiring PFS with 'default' IKE/ESP ciphers?

[Todd Cunningham]

Hello, I am wondering if there are any ways it is possible to guarantee a
tunnel with PFS using the 'default' keywords for both the <conn>.proposals
and <conn>.children.<child>.esp_proposals fields within the swanctl.conf
file. Is there another field which can be used to denote a requirement for
PFS or some other way this can be achieved?

I am currently running strongswan 5.8.1. Currently I believe this is not
possible as it appears the default ciphers include options without DH
groups, though I am finding the default proposal source
(src/libstrongswan/crypto/proposal/proposal.h/.c) a bit hard to follow (is
there a documented list of these defaults available anywhere else?) My
understanding is that the tunnel will achieve PFS if both tunnel endpoints
support matching ciphers with a DH group however if not the fallback will
be an alternative non-PFS cipher. However, my goal is to require PFS rather
than enable PFS.

Would the easiest workaround for this requirement be to hardcode a subset
of the default ciphers with DH groups into swanctl.conf?

As an additional clarification for perfect forward secrecy in general, the
security recommendations page states that PFS can be achieved by using a DH
group with ESP. Is it sufficient to declare an IKE cipher with a DH group
and leave the ESP proposal to 'default', or does ESP still require a DH
group explicitly in the proposal?

Alternatively, does it make any sense to leave the IKE cipher as 'default'
while specifying an esp_proposal with a DH group? Under these circumstances
it seems like we may run into a proposal mismatch during rekeying.

Thanks in advance for any advice anyone can provide!

Todd Cunningham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191103/1401a62c/attachment.html>