-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Sergio,
I don't think PFS is the issue then, as you would get a NO_PROP_CHOSEN error when connecting, if it was. Did you make sure that ip_forwarding is enabled and the packets are altered/dropped/rejected by iptables, if needed? StrongSwan doesn't to that for you. Refer to [1] for the needed settings and a how-to. [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Regards Noel Kuntze On 09.12.2013 18:09, Sergio Samayoa wrote:R > Hi Noel. > > Thanks but I already tried that way but same result. > > I tried: > > esp=3des-sha1 > esp=3des-sha1! > esp=3des-sha1-null > esp=3des-sha1-null! > > But PFS seems still enabled. > > Regards. > > > > > > 2013/12/9 Noel Kuntze <[email protected] <mailto:[email protected]>> > > Hello Sergio, > > You do this by using "esp=3des-sha1!". > Note the "!" At the end, telling strongswan to only send this proposal > when negotiating phase 2. > Also remove the "pfs" line, as it's deprecated. > > Regards > Noel Kuntze > > > > Sergio Samayoa <[email protected] > <mailto:[email protected]>> schrieb: > > Hi. > > We need to connect to Checkpoint FW with the following configuration: > > Phase 1 > Authentication Methodpre-shared key > pre-shared key********* > Encryption SchemeIKE > Diffie-Hellman GroupGroup 2 > Encryption Algorithm3DES > Hashing AlgorithmSha-1 > Main or Aggressive ModeMain mode > Lifetime (for renegotiation)86400s > > Phase 2 > Encapsulation (ESP or AH)ESP > Encryption Algorithm3DES > Authentication AlgorithmSha-1 > Perfect Forward SecrecyNO PFS > Lifetime (for renegotiation)3600s > > Our configuration file is: > > conn TMCO > ikelifetime=86400s > keylife=3600s > keyexchange=ikev1 > authby=secret > ike=3des-sha1-modp1024 > esp=3des-sha1 > left=x.x.x.x > leftsubnet=192.168.15.0/24 <http://192.168.15.0/24> > leftfirewall=yes > leftsourceip=x.x.x.x > right=y.y.y.y > pfs=no > > Whe I start strongswan I get this message in the console: > > # deprecated keyword 'pfs' in conn 'TMCO' > PFS is enabled by specifying a DH group in the 'esp' cipher suite > > Phase 1 is completed and I can see the security associations but I > can't reach any host in the right part becase Strongswan is using PFS. > > AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan > insists in enabling PFS. > > How can I disable PFS? > > -- > Sergio Samayoa > Systems Architect > email: [email protected] <mailto:[email protected]> > Móvil: (502) 5917 7888 > Skype: sergio.e.samayoa > > A description... > > http://www.icon-americas.com > > ------------------------- > > Users mailing list > [email protected] <mailto:[email protected]> > > https://lists.strongswan.org/mailman/listinfo/users > > > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail > gesendet. > > > > > -- > Sergio Samayoa > Systems Architect > email: [email protected] <mailto:[email protected]> > Móvil: (502) 5917 7888 > Skype: sergio.e.samayoa > > A description... > > http://www.icon-americas.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSpgM1AAoJEDg5KY9j7GZY2kwP/2K9Fwwv0UzOihuEACM8ZhYD m4axUthqJ4feh7T+KbWqCcu7fAAPrfinRTiBuL7cdNIJFggAiKKsaT4t1ECeMT4B hy7gCeYzuc/pGw36HtPaxgcQwbNuDoi3jWPyyDRz/JsqU6WuLxEF+CscX+MJdJex yige5RZqejAny0CrYF0JcWCN9WWmIYXoDtPcgT8zxVEH8458DmARiN9Zhq2g2orW 6t8lnBKTTWwx8apV2yX7EI4htle404yTyQ5PDj1GQ1HSEgOO9JbeRAQh7hT4viNP sL3PmCPRLXY73vCaZQetAwTfd1c8K0c2LzjLJVdhTQGzwcekgq2qqJrCwnWc/iFt meYNvFd2dW46PYxpND7coZFVc0cZWFH1Uqus4Iuboy3zZ2enxVwr8UCQTG7xSl9c unG7e6CllNAFqdHU7LKlw4s1Sbh5iwBaiOsv6BddxrgrvzsKXMSVPyYjTwuXk/pi XxeAXaOOpkxRru1jfI/EoH5ChcbMFOVEPShTrSPGLzb+IBd2DA9Ygbz4ot6VKyAr 9qjVbi9SJy5zDHyze4SPZtWuRiW982X1IP55IQU9QcuhQv2e8rsQWh2wwD99cjG7 peMEVIjdcPaBHLCYKLAkNKqKLCiyTG1NMGu2mAUx/sFFRf2I0RaKYsSEMtNTeiYw VuUwtkl64IYOOSi1zgKF =BbZI -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
