On Wed, Jan 27, 2021 at 3:28 AM Tobias Heider <[email protected]> wrote: > looks like a PFS problem. > > Here's where it fails: > > Jan 26 18:48:30 strannik iked[41041]: spi=0x6184b254a8e8d175: > > ikev2_log_proposal: ESP #1 DH=MODP_2048 > > At the moment, PFS groups must be enabled manually. > Try this: > > ikev2 "home" passive esp inet \ > from 10.0.10.0/24 to 10.0.1.0/24 \ > from 10.0.10.0/24 to 10.0.4.0/24 \ > from 10.0.10.0/24 to 10.0.7.0/24 \ > local responder peer initiator \ > childsa group modp2048 \ > srcid "/CN=responder" dstid "/CN=initiator"
Worked like a charm, of course. Thank you! I recall now having seen this and not understood it at the time: "For IKEv2 the keys for the first CHILD_SA, created implicitly with the IKE_SA, will always be derived from the IKE_SA's key material. So any DH group set here only applies when the CHILD_SA is later rekeyed or created with a CREATE_CHILD_SA exchange on an existing IKE_SA. A proposal mismatch may, therefore, not immediately be detected when the SA is established, but may later cause rekeying to fail." -- Darren Spruell [email protected]
