Feature #1337
Updated by Tobias Brunner over 9 years ago
Hello,
I set pfs dh-group in ipsec.conf file but I cannot see any remark about this in ipsec statusall. Syslog reports that pfs dh-group is configured.
Config:
<pre>
conn ipsec2
leftauth=psk
rightauth=psk
ikelifetime=3600
keylife=3600
rekeymargin=540
rekeyfuzz=100%
type=tunnel
esp=aes128-sha1-modp1536 *esp=aes128-sha1-modp1536*
keyexchange=ikev1
right=192.168.7.10
left=192.168.7.100
leftsubnet=192.168.2.0/24
rightsubnet=192.168.30.0/24
auto=start
leftfirewall=yes
</pre>
Log:
<pre>
...
2016-03-04 12:03:22 charon: 12[CFG] selecting proposal:
2016-03-04 12:03:22 charon: 12[CFG] proposal matches
2016-03-04 *2016-03-04 12:03:22 charon: 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ*
2016-03-04 12:03:22 charon: 12[CHD] using AES_CBC for encryption
2016-03-04 12:03:22 charon: 12[CHD] using HMAC_SHA1_96 for integrity
2016-03-04 12:03:22 charon: 12[CHD] adding inbound ESP SA
2016-03-04 12:03:22 charon: 12[CHD] SPI 0xccb8b9b0, src 192.168.7.10 dst 192.168.7.100
...
</pre>
ipsec statusall:
<pre>
Security Associations (1 up, 0 connecting):
ipsec2[1]: ESTABLISHED 5 minutes ago, 192.168.7.100[192.168.7.100]...192.168.7.10[192.168.7.10]
ipsec2[1]: IKEv1 SPIs: 049b7dff3b61cee7_i* 52576fef01e7f674_r, pre-shared key reauthentication in 40 minutes
ipsec2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ipsec2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccb8b9b0_i c6c760e9_o
ipsec2{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
ipsec2{1}: 192.168.2.0/24 === 192.168.30.0/24
</pre>
Is the esp dh-group correctly configured/set?
Thanks.
I set pfs dh-group in ipsec.conf file but I cannot see any remark about this in ipsec statusall. Syslog reports that pfs dh-group is configured.
Config:
<pre>
conn ipsec2
leftauth=psk
rightauth=psk
ikelifetime=3600
keylife=3600
rekeymargin=540
rekeyfuzz=100%
type=tunnel
esp=aes128-sha1-modp1536 *esp=aes128-sha1-modp1536*
keyexchange=ikev1
right=192.168.7.10
left=192.168.7.100
leftsubnet=192.168.2.0/24
rightsubnet=192.168.30.0/24
auto=start
leftfirewall=yes
</pre>
Log:
<pre>
...
2016-03-04 12:03:22 charon: 12[CFG] selecting proposal:
2016-03-04 12:03:22 charon: 12[CFG] proposal matches
2016-03-04 *2016-03-04 12:03:22 charon: 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ*
2016-03-04 12:03:22 charon: 12[CHD] using AES_CBC for encryption
2016-03-04 12:03:22 charon: 12[CHD] using HMAC_SHA1_96 for integrity
2016-03-04 12:03:22 charon: 12[CHD] adding inbound ESP SA
2016-03-04 12:03:22 charon: 12[CHD] SPI 0xccb8b9b0, src 192.168.7.10 dst 192.168.7.100
...
</pre>
ipsec statusall:
<pre>
Security Associations (1 up, 0 connecting):
ipsec2[1]: ESTABLISHED 5 minutes ago, 192.168.7.100[192.168.7.100]...192.168.7.10[192.168.7.10]
ipsec2[1]: IKEv1 SPIs: 049b7dff3b61cee7_i* 52576fef01e7f674_r, pre-shared key reauthentication in 40 minutes
ipsec2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ipsec2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccb8b9b0_i c6c760e9_o
ipsec2{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
ipsec2{1}: 192.168.2.0/24 === 192.168.30.0/24
</pre>
Is the esp dh-group correctly configured/set?
Thanks.