Hi. We need to connect to Checkpoint FW with the following configuration:
Phase 1
Authentication Method pre-shared key
pre-shared key *********
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm Sha-1
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm Sha-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s
Our configuration file is:
conn TMCO
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=x.x.x.x
leftsubnet=192.168.15.0/24
leftfirewall=yes
leftsourceip=x.x.x.x
right=y.y.y.y
pfs=no
Whe I start strongswan I get this message in the console:
# deprecated keyword 'pfs' in conn 'TMCO'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
Phase 1 is completed and I can see the security associations but I can't
reach any host in the right part becase Strongswan is using PFS.
AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan insists
in enabling PFS.
How can I disable PFS?
--
Sergio Samayoa
Systems Architect
email: [email protected]
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa
[image: A description...]
http://www.icon-americas.com
<<image001.png>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
