Hi,
I am configuring a VPN server using IPSEC/L2TP. The setup works fine with the exception that PFS does not appear to work - The generated security associations of an established vpn connection do not have the P flag set e.g.:
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x89A099A src-address=X.X.X.X dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key="removed"
enc-key="removed" addtime=dec/30/2013 20:15:18 expires-in=28m53s add-lifetime=24m/30m current-bytes=18458
1 E spi=0xA78E4A0 src-address=X.X.X.X dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key="removed"
enc-key="removed" addtime=dec/30/2013 20:15:18 expires-in=28m53s add-lifetime=24m/30m current-bytes=17781
I have configured the PFS group in the proposal on both the client (racoon) and Mikrotik. E.g.:
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048
Has anyone managed to get PFS working over IPSEC?
Regards,
Achelon