Project

General

Profile

Feature #1337

Updated by Tobias Brunner over 4 years ago

Hello,

I set pfs dh-group in ipsec.conf file but I cannot see any remark about this in ipsec statusall. Syslog reports that pfs dh-group is configured.

Config:
<pre>
conn ipsec2

leftauth=psk

rightauth=psk

ikelifetime=3600

keylife=3600

rekeymargin=540

rekeyfuzz=100%
type=tunnel
esp=aes128-sha1-modp1536 *esp=aes128-sha1-modp1536*
keyexchange=ikev1

right=192.168.7.10

left=192.168.7.100

leftsubnet=192.168.2.0/24

rightsubnet=192.168.30.0/24

auto=start

leftfirewall=yes
</pre>


Log:
<pre>
...
2016-03-04 12:03:22 charon: 12[CFG] selecting proposal:
2016-03-04 12:03:22 charon: 12[CFG] proposal matches
2016-03-04 *2016-03-04 12:03:22 charon: 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
2016-03-04 12:03:22 charon: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ*
2016-03-04 12:03:22 charon: 12[CHD] using AES_CBC for encryption
2016-03-04 12:03:22 charon: 12[CHD] using HMAC_SHA1_96 for integrity
2016-03-04 12:03:22 charon: 12[CHD] adding inbound ESP SA
2016-03-04 12:03:22 charon: 12[CHD] SPI 0xccb8b9b0, src 192.168.7.10 dst 192.168.7.100
...
</pre>


ipsec statusall:
<pre>


Security Associations (1 up, 0 connecting):
ipsec2[1]: ESTABLISHED 5 minutes ago, 192.168.7.100[192.168.7.100]...192.168.7.10[192.168.7.10]
ipsec2[1]: IKEv1 SPIs: 049b7dff3b61cee7_i* 52576fef01e7f674_r, pre-shared key reauthentication in 40 minutes
ipsec2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ipsec2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccb8b9b0_i c6c760e9_o
ipsec2{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
ipsec2{1}: 192.168.2.0/24 === 192.168.30.0/24
</pre>



Is the esp dh-group correctly configured/set?

Thanks.

Back