[Swan] question about pfsgroup

Paul Wouters paul at nohats.ca
Sat Apr 21 20:56:00 UTC 2018 

On Mon, 2 Apr 2018, Xinwei Hong wrote:

> I'm still using libreswan 3.20. Both ends are using default ikev2=permit. So, ikev1 is used in my test cases. What I observed is that VPN still works even when pfsgroup does not match.
> (either no pfsgroup, or different group value). 
> 
> I feel sometime it's hard to determine from log what pfsgroup it's actually using. If I see this:
> Apr  2 20:17:53 vvr-10-69-244-19 pluto[10391]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #377: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #376 {using isakmp#4 msgid:9a47d103 proposal=3DES(3)_000-SHA1(2) pfsgroup=MODP1024}
> 
> does it mean that modp1024 is used?
> 
> When I specify "pfs=no", at first it will have:
> Apr  2 20:23:27 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:de62bfd4 proposal=3DES(3)_000-SHA1(2) pfsgroup=no-pfs}
> 
> when it rekeys later(set to expire after 1 minute), it shows
> Apr  2 20:24:13 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #5: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #3 {using isakmp#4 msgid:38e9b07b proposal=3DES(3)_000-SHA1(2) pfsgroup=MODP1024}
> 
> what should I trust to find out the pfsgroup in use? 
> 
> At the same time, the other is actually racoon and have "pfs_group modp1536;". Seems mismatches do not affect either part.

This code is currently in flux, so I would really recommend you re-test
this against a 3.24rcX release candidate from download.libreswan.org.

We are still touching the related code over the next few days, os maybe
wait a few days before redoing your tests?

Note we are somewhat forgiving if no pfs was negotiated and it still is
done, because doing it is always better then not doing it.

Paul

More information about the Swan mailing list