Migration to swanctl/vici for RAS IKEv2 clients and PFS error from other vendor gateway

[orottler]

tried first time to change my RAS IKEv2 client setup from ipsec.conf (load_test.conf) to swnact.conf.
Missed anywho the old leftside %config option. Don't know if really required, because the gateway is configured to push it everytime (IPv4 radius assigned IP, 2 DNS server, IPv6 deactivated in /strongswan-5.9.13/src/libcharon/plugins/load_tester/load_tester_config.c
by removing the IPv6 feature introduced f3f93cade91448ac5dd66a028714e29479790ffuff
(delete/comment out line 759 peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));)

And for sure, there is really a difference in the attached log's, load_test comes with %config, swanctl with the default (interface address of the client);: line 2791 in the attached table.
Is there a way in configuration to produce also here the config request ?

The Responder (cisco gateway asa 9.16) accept phase 1 properly and reject phase 2 with no matching proposals.
It doesnt provide a helpful debug, only

• treat the request as Side to Side request instead as intended RAS (landed on the right RAS dynamic profil on the responde)
• claims there is no PFS in the initiator request and fails

On the gateway and in both variants I did configure esp_proposals = aes256-sha256-modp4096 (even changing to an other groups or none didn't change the responder behaviour).
Both machines did accept the value 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Seems both variants send the first phase 2 auth request without PFS in line 2797 09[CFG] <vpn01-qs|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
but I think at this point the PFS of phase 1 should be taken and a PFS negotiation occours later during rekeying here if needed.

System OS: RedHat9.3
Kernel version (if applicable): 5.14.0-362.18.1.el9_3.x86_64
strongSwan version(s): 5.9.13
Tested/confirmed with the latest version: yes (think is the latest stable)
single.log
loadtest.log
strongswan.ods
strongswan.xlsx

[tobiasbrunner]

Missed anywho the old leftside %config option.

If you are referring to the leftsourceip option, then maybe read the docs on virtual IP addresses. There is also a migration document in the old wiki.

• claims there is no PFS in the initiator request and fails

The initial IKEv2 CHILD_SA never has PFS unless it's created in a separate CREATE_CHILD_SA exchange (requires childless IKE_SA initiation). So if that's actually the complaint, that might be a bug.

[orottler]

sorry, that I didn't recognize, we call it assigned IP everytimes and didn't associate virtual. Using VIP the responder works now as expected Thank you very much and a nice week !