Re: [strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Sergio Samayoa Mon, 09 Dec 2013 09:09:48 -0800

Hi Noel.

Thanks but I already tried that way but same result.


I tried:

esp=3des-sha1
esp=3des-sha1!
esp=3des-sha1-null
esp=3des-sha1-null!

But PFS seems still enabled.

Regards.





2013/12/9 Noel Kuntze <[email protected]>

> Hello Sergio,
>
> You do this by using "esp=3des-sha1!".
> Note the "!" At the end, telling strongswan to only send this proposal
> when negotiating phase 2.
> Also remove the "pfs" line, as it's deprecated.
>
> Regards
> Noel Kuntze
>
>
>
> Sergio Samayoa <[email protected]> schrieb:
>>
>> Hi.
>>
>> We need to connect to Checkpoint FW with the following configuration:
>>
>> Phase 1
>> Authentication Method pre-shared key
>> pre-shared key *********
>> Encryption Scheme IKE
>> Diffie-Hellman Group Group 2
>> Encryption Algorithm 3DES
>> Hashing Algorithm Sha-1
>> Main or Aggressive Mode Main mode
>> Lifetime (for renegotiation) 86400s
>>
>> Phase 2
>> Encapsulation (ESP or AH) ESP
>> Encryption Algorithm 3DES
>> Authentication Algorithm Sha-1
>> Perfect Forward Secrecy NO PFS
>> Lifetime (for renegotiation) 3600s
>>
>> Our configuration file is:
>>
>> conn TMCO
>>         ikelifetime=86400s
>>         keylife=3600s
>>         keyexchange=ikev1
>>         authby=secret
>>         ike=3des-sha1-modp1024
>>         esp=3des-sha1
>>         left=x.x.x.x
>>         leftsubnet=192.168.15.0/24
>>         leftfirewall=yes
>>         leftsourceip=x.x.x.x
>>         right=y.y.y.y
>>         pfs=no
>>
>> Whe I start strongswan I get this message in the console:
>>
>> # deprecated keyword 'pfs' in conn 'TMCO'
>>   PFS is enabled by specifying a DH group in the 'esp' cipher suite
>>
>> Phase 1 is completed and I can see the security associations but I can't
>> reach any host in the right part becase Strongswan is using PFS.
>>
>> AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan
>> insists in enabling PFS.
>>
>> How can I disable PFS?
>>
>> --
>> Sergio Samayoa
>> Systems Architect
>> email: [email protected]
>> Móvil: (502) 5917 7888
>> Skype: sergio.e.samayoa
>>
>> [image: A description...]
>>
>> http://www.icon-americas.com
>>
>> ------------------------------
>>
>> Users mailing list
>> [email protected]
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
> gesendet.
>



-- 
Sergio Samayoa
Systems Architect
email: [email protected]
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa

[image: A description...]

http://www.icon-americas.com

<<image001.png>>

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?

Reply via email to