Discussion:
Strong Swan 5.1.1 - pfse=no ignored - How can I disable PFS?
Sergio Samayoa
2013-12-09 16:10:39 UTC
Permalink
Hi.

We need to connect to Checkpoint FW with the following configuration:

Phase 1
Authentication Method pre-shared key
pre-shared key *********
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm Sha-1
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s

Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm Sha-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s

Our configuration file is:

conn TMCO
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=x.x.x.x
leftsubnet=192.168.15.0/24
leftfirewall=yes
leftsourceip=x.x.x.x
right=y.y.y.y
pfs=no

Whe I start strongswan I get this message in the console:

# deprecated keyword 'pfs' in conn 'TMCO'
PFS is enabled by specifying a DH group in the 'esp' cipher suite

Phase 1 is completed and I can see the security associations but I can't
reach any host in the right part becase Strongswan is using PFS.

AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan insists
in enabling PFS.

How can I disable PFS?
--
Sergio Samayoa
Systems Architect
email: sergiosamayoa-NBAPUxnO0By5NicE/***@public.gmane.org
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa

[image: A description...]

http://www.icon-americas.com
Sergio Samayoa
2013-12-09 17:09:08 UTC
Permalink
Hi Noel.

Thanks but I already tried that way but same result.

I tried:

esp=3des-sha1
esp=3des-sha1!
esp=3des-sha1-null
esp=3des-sha1-null!

But PFS seems still enabled.

Regards.
Hello Sergio,
You do this by using "esp=3des-sha1!".
Note the "!" At the end, telling strongswan to only send this proposal
when negotiating phase 2.
Also remove the "pfs" line, as it's deprecated.
Regards
Noel Kuntze
Post by Sergio Samayoa
Hi.
Phase 1
Authentication Method pre-shared key
pre-shared key *********
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm Sha-1
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm Sha-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s
conn TMCO
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=x.x.x.x
leftsubnet=192.168.15.0/24
leftfirewall=yes
leftsourceip=x.x.x.x
right=y.y.y.y
pfs=no
# deprecated keyword 'pfs' in conn 'TMCO'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
Phase 1 is completed and I can see the security associations but I can't
reach any host in the right part becase Strongswan is using PFS.
AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan
insists in enabling PFS.
How can I disable PFS?
--
Sergio Samayoa
Systems Architect
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa
[image: A description...]
http://www.icon-americas.com
------------------------------
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
gesendet.
--
Sergio Samayoa
Systems Architect
email: sergiosamayoa-NBAPUxnO0By5NicE/***@public.gmane.org
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa

[image: A description...]

http://www.icon-americas.com
Thomas Egerer
2013-12-09 17:49:57 UTC
Permalink
Post by Sergio Samayoa
Hi Noel.
Thanks but I already tried that way but same result.
esp=3des-sha1
esp=3des-sha1!
esp=3des-sha1-null
esp=3des-sha1-null!
But PFS seems still enabled.
Regards.
Hello Sergio,
You do this by using "esp=3des-sha1!".
Note the "!" At the end, telling strongswan to only send this proposal
when negotiating phase 2.
Also remove the "pfs" line, as it's deprecated.
Regards
Noel Kuntze
Post by Sergio Samayoa
Hi.
Phase 1
Authentication Method pre-shared key
pre-shared key *********
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm Sha-1
Main or Aggressive Mode Main mode
Lifetime (for renegotiation) 86400s
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm Sha-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600s
conn TMCO
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=x.x.x.x
leftsubnet=192.168.15.0/24
leftfirewall=yes
leftsourceip=x.x.x.x
right=y.y.y.y
pfs=no
# deprecated keyword 'pfs' in conn 'TMCO'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
Phase 1 is completed and I can see the security associations but I can't
reach any host in the right part becase Strongswan is using PFS.
AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan
insists in enabling PFS.
How can I disable PFS?
Hi Sergio,

can you run
Post by Sergio Samayoa
stroke loglevel cfg 2
Then try to initiate the connection and look for charon's log output
<snip>
received proposals: [...]
configured proposals: [...]
selected proposals: [...] // <- this line is most likely missing
<snap>
Be sure to select the proposal selection for the child configuration
you're interested in.

Cheers,
Thomas
Noel Kuntze
2013-12-09 17:51:49 UTC
Permalink
Hello Sergio,

I don't think PFS is the issue then, as you would get a NO_PROP_CHOSEN error when connecting, if it was.
Did you make sure that ip_forwarding is enabled and the packets are altered/dropped/rejected by iptables, if needed?
StrongSwan doesn't to that for you.
Refer to [1] for the needed settings and a how-to.

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Regards
Noel Kuntze
On 09.12.2013 18:09, Sergio Samayoa wrote:R
Post by Sergio Samayoa
Hi Noel.
Thanks but I already tried that way but same result.
esp=3des-sha1
esp=3des-sha1!
esp=3des-sha1-null
esp=3des-sha1-null!
But PFS seems still enabled.
Regards.
Hello Sergio,
You do this by using "esp=3des-sha1!".
Note the "!" At the end, telling strongswan to only send this proposal when negotiating phase 2.
Also remove the "pfs" line, as it's deprecated.
Regards
Noel Kuntze
Hi.
Phase 1
Authentication Methodpre-shared key
pre-shared key*********
Encryption SchemeIKE
Diffie-Hellman GroupGroup 2
Encryption Algorithm3DES
Hashing AlgorithmSha-1
Main or Aggressive ModeMain mode
Lifetime (for renegotiation)86400s
Phase 2
Encapsulation (ESP or AH)ESP
Encryption Algorithm3DES
Authentication AlgorithmSha-1
Perfect Forward SecrecyNO PFS
Lifetime (for renegotiation)3600s
conn TMCO
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=x.x.x.x
leftsubnet=192.168.15.0/24 <http://192.168.15.0/24>
leftfirewall=yes
leftsourceip=x.x.x.x
right=y.y.y.y
pfs=no
# deprecated keyword 'pfs' in conn 'TMCO'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
Phase 1 is completed and I can see the security associations but I can't reach any host in the right part becase Strongswan is using PFS.
AFAIK I'm not setting dhgroup in esp (esp=3des-sha1) but Strongswan insists in enabling PFS.
How can I disable PFS?
--
Sergio Samayoa
Systems Architect
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa
A description...
http://www.icon-americas.com
-------------------------
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
--
Sergio Samayoa
Systems Architect
Móvil: (502) 5917 7888
Skype: sergio.e.samayoa
A description...
http://www.icon-americas.com
Loading...