Replies: 1 comment 1 reply
-
If you are referring to the
The initial IKEv2 CHILD_SA never has PFS unless it's created in a separate CREATE_CHILD_SA exchange (requires childless IKE_SA initiation). So if that's actually the complaint, that might be a bug. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
tried first time to change my RAS IKEv2 client setup from ipsec.conf (load_test.conf) to swnact.conf.
Missed anywho the old leftside %config option. Don't know if really required, because the gateway is configured to push it everytime (IPv4 radius assigned IP, 2 DNS server, IPv6 deactivated in /strongswan-5.9.13/src/libcharon/plugins/load_tester/load_tester_config.c
by removing the IPv6 feature introduced f3f93cade91448ac5dd66a028714e29479790ffuff
(delete/comment out line 759 peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));)
And for sure, there is really a difference in the attached log's, load_test comes with %config, swanctl with the default (interface address of the client);: line 2791 in the attached table.
Is there a way in configuration to produce also here the config request ?
The Responder (cisco gateway asa 9.16) accept phase 1 properly and reject phase 2 with no matching proposals.
It doesnt provide a helpful debug, only
On the gateway and in both variants I did configure esp_proposals = aes256-sha256-modp4096 (even changing to an other groups or none didn't change the responder behaviour).
Both machines did accept the value 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Seems both variants send the first phase 2 auth request without PFS in line 2797 09[CFG] <vpn01-qs|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
but I think at this point the PFS of phase 1 should be taken and a PFS negotiation occours later during rekeying here if needed.
System OS: RedHat9.3
Kernel version (if applicable): 5.14.0-362.18.1.el9_3.x86_64
strongSwan version(s): 5.9.13
Tested/confirmed with the latest version: yes (think is the latest stable)
single.log
loadtest.log
strongswan.ods
strongswan.xlsx
Beta Was this translation helpful? Give feedback.
All reactions