On Wed, 17 May 2017, Ivan Kuznetsov wrote:
I trying to setup a site-to-site tunnel using ESP, IKEv2 and certificates. My side is Oracle Linux 6 (a RHEL6 clone from Oracle), libreswan 3.20, NETKEY stack as initiator. Other side is strongswan, don't know exact version (not under my control), as responder.
So it occured that DH group is NOT negotiated despite that modp2048 is configured for ESP on both sides.
PFS improvements are currently being merged in and should make it into 3.21. Note that we have seen invalid proposals from strongswan in the wild, due to its lack of "strict mode" per default, resulting in a mix of proposals in CREATE_CHILD_SA that have a DH group but no matching KE payload. libreswan before 3.21 will at rekey time start a whole new IKE_INIT exchange with a fresh DH exchange, so you can just set your end's ikelifetime shorter then the remote, and get an "indirect" PFS. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
