[strongSwan] swanctl.conf - requiring PFS with 'default' IKE/ESP ciphers?

Tobias Brunner tobias at strongswan.org
Tue Nov 5 09:37:14 CET 2019

Hi Noel, Todd,

> The default proposal depends on which ciphers are available on your system, so they won't change.

Not the ESP proposal, which is hard-coded (no AEAD, no PFS) as there is
currently no API to query which algorithms the IPsec stack (usually the
kernel) supports.

So yeah, there is currently no other option than to configure the ESP
proposals explicitly to match the requirements.

> As an additional clarification for perfect forward secrecy in general, the security recommendations page states that PFS can be achieved by using a DH group with ESP. Is it sufficient to declare an IKE cipher with a DH group and leave the ESP proposal to 'default', or does ESP still require a DH group explicitly in the proposal?

DH groups must be part of any IKE proposal.  So whenever an IKE_SA is
rekeyed, fresh key material is generated, which will then also be used
for new or rekeyed CHILD_SAs (i.e. technically giving you PFS, but
obviously not for each individual CHILD_SA, which might be preferred).

> Alternatively, does it make any sense to leave the IKE cipher as 'default' while specifying an esp_proposal with a DH group? Under these circumstances it seems like we may run into a proposal mismatch during rekeying.

Yes, that could happen.  You could avoid the delay in noticing the
mismatch by using childless IKE_SAs (if supported by the peers), so the
initial CHILD_SA is already created with a separate CREATE_CHILD_SA
exchange (including a DH exchange if configured), see [1].


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2

More information about the Users mailing list