Wednesday, January 27, 2021

Re: iked(8) CREATE_CHILD_SA successful at initial connection time, fail at rekey interval

Hi,

looks like a PFS problem.

Here's where it fails:
> Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
> ikev2_log_proposal: ESP #1 DH=MODP_2048

At the moment, PFS groups must be enabled manually.
Try this:

ikev2 "home" passive esp inet \
from 10.0.10.0/24 to 10.0.1.0/24 \
from 10.0.10.0/24 to 10.0.4.0/24 \
from 10.0.10.0/24 to 10.0.7.0/24 \
local responder peer initiator \
childsa group modp2048 \
srcid "/CN=responder" dstid "/CN=initiator"

- Tobias

No comments:

Post a Comment