Feature #1337
PFS DH group are not visible in ipsec status
Description
Hello,
I set pfs dh-group in ipsec.conf file but I cannot see any remark about this in ipsec statusall. Syslog reports that pfs dh-group is configured.
Config:
conn ipsec2 leftauth=psk rightauth=psk ikelifetime=3600 keylife=3600 rekeymargin=540 rekeyfuzz=100% type=tunnel esp=aes128-sha1-modp1536 keyexchange=ikev1 right=192.168.7.10 left=192.168.7.100 leftsubnet=192.168.2.0/24 rightsubnet=192.168.30.0/24 auto=start leftfirewall=yes
Log:
... 2016-03-04 12:03:22 charon: 12[CFG] selecting proposal: 2016-03-04 12:03:22 charon: 12[CFG] proposal matches 2016-03-04 12:03:22 charon: 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 2016-03-04 12:03:22 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ 2016-03-04 12:03:22 charon: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ 2016-03-04 12:03:22 charon: 12[CHD] using AES_CBC for encryption 2016-03-04 12:03:22 charon: 12[CHD] using HMAC_SHA1_96 for integrity 2016-03-04 12:03:22 charon: 12[CHD] adding inbound ESP SA 2016-03-04 12:03:22 charon: 12[CHD] SPI 0xccb8b9b0, src 192.168.7.10 dst 192.168.7.100 ...
ipsec statusall:
Security Associations (1 up, 0 connecting): ipsec2[1]: ESTABLISHED 5 minutes ago, 192.168.7.100[192.168.7.100]...192.168.7.10[192.168.7.10] ipsec2[1]: IKEv1 SPIs: 049b7dff3b61cee7_i* 52576fef01e7f674_r, pre-shared key reauthentication in 40 minutes ipsec2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 ipsec2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccb8b9b0_i c6c760e9_o ipsec2{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes ipsec2{1}: 192.168.2.0/24 === 192.168.30.0/24
Is the esp dh-group correctly configured/set?
Thanks.
History
#1 Updated by Tobias Brunner over 6 years ago
- Tracker changed from Issue to Feature
- Description updated (diff)
- Category set to libcharon
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.4.0
- Resolution set to Fixed
DH groups of CHILD_SAs were not logged until recently, see 5d7049b427 and #23 at Github.
#2 Updated by Jiri Zendulka about 6 years ago
Hi,
PFS DH group is visible only for IKEv1 not for IKEv2. See ipsec status bellow.
Status of IKE charon daemon (weakSwan 5.4.0, Linux 3.5.0-lsp-3.3.1, armv5tejl):
uptime: 115 minutes, since Apr 25 11:23:48 2016
malloc: sbrk 610304, mmap 0, used 131240, free 479064
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 33
loaded plugins: charon nonce pem openssl kernel-netlink socket-default stroke vici updown
Listening IP addresses:
10.64.0.15
172.17.5.8
10.0.7.146
Connections:
ipsec1: 10.0.7.146...10.0.7.140 IKEv2
ipsec1: local: uses pre-shared key authentication
ipsec1: remote: uses pre-shared key authentication
ipsec1: child: 172.17.0.0/16 === 172.18.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
ipsec1261: ESTABLISHED 2 minutes ago, 10.0.7.146[10.0.7.146]...10.0.7.140[10.0.7.140]
ipsec1261: IKEv2 SPIs: 39cc159ba3afe447_i* 725f7d67188b1238_r, pre-shared key reauthentication in 36 minutes
ipsec1261: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
ipsec1{230}: INSTALLED, TUNNEL, reqid 181, ESP SPIs: c257a1a8_i c7d5a178_o
ipsec1{230}: DES_CBC/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
ipsec1{230}: 172.17.0.0/16 === 172.18.0.0/16
#3 Updated by Tobias Brunner about 6 years ago
PFS DH group is visible only for IKEv1 not for IKEv2. See ipsec status bellow.
Please read my response to the PR I linked above.
#4 Updated by Jiri Zendulka about 6 years ago
I didn't notice that second link which deals with IKEv2 and PFS DH group. Now I see.
Thanks.