Re: iked(8) CREATE_CHILD_SA successful at initial connection time, fail at rekey interval

[Tobias Heider]

Hi,

looks like a PFS problem.

Here's where it fails:
> Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175:
> ikev2_log_proposal: ESP #1 DH=MODP_2048

At the moment, PFS groups must be enabled manually.
Try this:

ikev2 "home" passive esp inet \
        from 10.0.10.0/24 to 10.0.1.0/24 \
        from 10.0.10.0/24 to 10.0.4.0/24 \
        from 10.0.10.0/24 to 10.0.7.0/24 \
        local responder peer initiator \
        childsa group modp2048 \
        srcid "/CN=responder" dstid "/CN=initiator"

- Tobias