[Swan] question about pfsgroup

Xinwei Hong xhong at skytap.com
Sun Apr 22 00:56:54 UTC 2018 

Sure. Thank you! I will try it out.

Xinwei


> On Apr 21, 2018, at 1:56 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
>> On Mon, 2 Apr 2018, Xinwei Hong wrote:
>> 
>> I'm still using libreswan 3.20. Both ends are using default ikev2=permit. So, ikev1 is used in my test cases. What I observed is that VPN still works even when pfsgroup does not match.
>> (either no pfsgroup, or different group value). 
>> I feel sometime it's hard to determine from log what pfsgroup it's actually using. If I see this:
>> Apr  2 20:17:53 vvr-10-69-244-19 pluto[10391]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #377: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #376 {using isakmp#4 msgid:9a47d103 proposal=3DES(3)_000-SHA1(2) pfsgroup=MODP1024}
>> does it mean that modp1024 is used?
>> When I specify "pfs=no", at first it will have:
>> Apr  2 20:23:27 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #2: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:de62bfd4 proposal=3DES(3)_000-SHA1(2) pfsgroup=no-pfs}
>> when it rekeys later(set to expire after 1 minute), it shows
>> Apr  2 20:24:13 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #5: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #3 {using isakmp#4 msgid:38e9b07b proposal=3DES(3)_000-SHA1(2) pfsgroup=MODP1024}
>> what should I trust to find out the pfsgroup in use? 
>> At the same time, the other is actually racoon and have "pfs_group modp1536;". Seems mismatches do not affect either part.
> 
> This code is currently in flux, so I would really recommend you re-test
> this against a 3.24rcX release candidate from download.libreswan.org.
> 
> We are still touching the related code over the next few days, os maybe
> wait a few days before redoing your tests?
> 
> Note we are somewhat forgiving if no pfs was negotiated and it still is
> done, because doing it is always better then not doing it.
> 
> Paul

More information about the Swan mailing list