Re: [Swan] Does libreswan supports DH negotiation in ESP?
On Wed, 17 May 2017, Ivan Kuznetsov wrote: I trying to setup a site-to-site tunnel using ESP, IKEv2 and certificates. My side is Oracle Linux 6 (a RHEL6 clone from Oracle), libreswan 3.20, NETKEY stack as initiator. Other side is strongswan, don't know exact version (not under my control), as responder. So it occured that DH group is NOT negotiated despite that modp2048 is configured for ESP on both sides. PFS improvements are currently being merged in and should make it into 3.21. Note that we have seen invalid proposals from strongswan in the wild, due to its lack of "strict mode" per default, resulting in a mix of proposals in CREATE_CHILD_SA that have a DH group but no matching KE payload. libreswan before 3.21 will at rekey time start a whole new IKE_INIT exchange with a fresh DH exchange, so you can just set your end's ikelifetime shorter then the remote, and get an "indirect" PFS. Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan] Does libreswan supports DH negotiation in ESP?
Hello
I trying to setup a site-to-site tunnel using ESP, IKEv2 and
certificates. My side is Oracle Linux 6 (a RHEL6 clone from Oracle),
libreswan 3.20, NETKEY stack as initiator. Other side is strongswan,
don't know exact version (not under my control), as responder.
My configuration:
conn TO_CLIENT
connaddrfamily=ipv4
type=tunnel
auto=ondemand
authby=rsasig
left=%defaultroute
leftsubnet=172.16.96.0/27
leftcert="VPN Certificate for supportsolvo"
leftid=%fromcert
leftrsasigkey=AbCdEfGhi
leftsendcert=always
right=client.router.fqdn
rightsubnets={172.16.71.0/26 172.16.17.0/24 172.16.40.0/26}
rightid=@client.router.fqdn
rightca=%same
ikev2=propose
ikelifetime=8h
initial-contact=yes
pfs=yes
ike=aes256-sha2;modp2048
phase2=esp
salifetime=80m
phase2alg=aes256-sha2;modp2048
rekey=yes
rekeymargin=10m
keyingtries=3
fragmentation=yes
nat_keepalive=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
Other side configration:
conn IKEv2-SOLVO
left=client.router.fqdn
leftcert=vpn3-host-cert.der
leftid=client.router.fqdn
leftsubnet=172.16.71.0/26
right=our.public.ip.network/24
rightcert=vpn3-supportsolvo-cert.der
rightid=vpn3-supportsolvo
rightsubnet=172.16.96.0/27
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
auto=add
Please note that modp2048 is configured for phase 2 on both sides
Tunnel is up on request (ipsec whack --initiate --name TO_CLIENT) and
works fine until a rekey request by other side in ~50min. I see in my
log that at initial time libreswan does not propose DH group at 2nd
phase, only 3 transorms:
May 16 12:55:39: | **emit IKEv2 Proposal Substructure Payload:
May 16 12:55:39: |last proposal: v2_PROPOSAL_LAST (0x0)
May 16 12:55:39: |prop #: 1 (0x1)
May 16 12:55:39: |proto ID: IKEv2_SEC_PROTO_ESP (0x3)
May 16 12:55:39: |spi size: 4 (0x4)
May 16 12:55:39: |# transforms: 3 (0x3)
May 16 12:55:39: | emitting 4 raw bytes of our spi into IKEv2 Proposal
Substructure Payload
May 16 12:55:39: | our spi 79 2f b8 d4
May 16 12:55:39: | ***emit IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_NON_LAST (0x3)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
May 16 12:55:39: |IKEv2 transform ID: AES_CBC (0xc)
May 16 12:55:39: | emit IKEv2 Attribute Substructure Payload:
May 16 12:55:39: |af+type: IKEv2_KEY_LENGTH (0x800e)
May 16 12:55:39: |length/value: 256 (0x100)
May 16 12:55:39: | emitting length of IKEv2 Transform Substructure
Payload: 12
May 16 12:55:39: | ***emit IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_NON_LAST (0x3)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
May 16 12:55:39: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
May 16 12:55:39: | emitting length of IKEv2 Transform Substructure
Payload: 8
May 16 12:55:39: | ***emit IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_LAST (0x0)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_ESN (0x5)
May 16 12:55:39: |IKEv2 transform ID: ESN_DISABLED (0x0)
but some lines later shows:
May 16 12:55:39: "TO_CLIENT/0x1" #94: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256
group=MODP2048}
Other side replay parsing:
May 16 12:55:39: | Comparing remote proposal 1 containing 3 transforms
against local proposal [1..1] of 1 local proposals
May 16 12:55:39: | parse IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_NON_LAST (0x3)
May 16 12:55:39: |length: 12 (0xc)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
May 16 12:55:39: |IKEv2 transform ID: AES_CBC (0xc)
May 16 12:55:39: | *parse IKEv2 Attribute Substructure Payload:
May 16 12:55:39: |af+type: IKEv2_KEY_LENGTH (0x800e)
May 16 12:55:39: |length/value: 256 (0x100)
May 16 12:55:39: | parse IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_NON_LAST (0x3)
May 16 12:55:39: |length: 8 (0x8)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
May 16 12:55:39: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
May 16 12:55:39: | parse IKEv2 Transform Substructure Payload:
May 16 12:55:39: |last transform: v2_TRANSFORM_LAST (0x0)
May 16 12:55:39: |length: 8 (0x8)
May 16 12:55:39: |IKEv2 transform type: TRANS_TYPE_ESN (0x5)
May 16 12:55:39: |IKEv2 transform ID: ESN_DISABLED (0x0)
May 16 12:55:39: | remote proposal 1 matches local proposal 1
May 16 12:55:39: | proposal
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
was accepted
May
