On Wed, Jan 27, 2021 at 3:28 AM Tobias Heider <tobias.heider@stusta.de> wrote:
> looks like a PFS problem.
>
> Here's where it fails:
> > Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
> > ikev2_log_proposal: ESP #1 DH=MODP_2048
>
> At the moment, PFS groups must be enabled manually.
> Try this:
>
> ikev2 "home" passive esp inet \
> from 10.0.10.0/24 to 10.0.1.0/24 \
> from 10.0.10.0/24 to 10.0.4.0/24 \
> from 10.0.10.0/24 to 10.0.7.0/24 \
> local responder peer initiator \
> childsa group modp2048 \
> srcid "/CN=responder" dstid "/CN=initiator"
Worked like a charm, of course. Thank you!
I recall now having seen this and not understood it at the time:
"For IKEv2 the keys for the first CHILD_SA, created implicitly with
the IKE_SA, will always be derived from the IKE_SA's key material. So
any DH group set here only applies when the CHILD_SA is later rekeyed
or created with a CREATE_CHILD_SA exchange on an existing IKE_SA. A
proposal mismatch may, therefore, not immediately be detected when the
SA is established, but may later cause rekeying to fail."
--
Darren Spruell
phatbuckett@gmail.com
No comments:
Post a Comment