L2TP/IPsec - Perfect Forward Secrecy / use of the default IPSec proposal

Ape · October 23, 2017, 11:21am

Hi,

I’ve a lab setup, where several RouterBoards should connect to a central VPN server (also Routerboard). I successfully configured a L2TP server and the client RouterBoards establish the L2TP tunnel (“Use IPSec” is checked). According to the IPSec SA table the L2TP sessions are encrypted, but not using PFS though it is configured in the default proposal on the VPN server.

Is this the expected behavior? The L2TP server respects all IPSec settings in the default-proposal but not PFS.

I found an old thread (2013) covering the same question, but noboby responded: http://forum.mikrotik.com/t/problems-enabling-perfect-forward-secrecy-with-ipsec/72876/1

Any hints are really appreciated.
Thank you in advance.

Regards,
Ape

emils · October 23, 2017, 12:37pm

How do you tell that PFS is not used? There is no such flag (P - pfs) as it was in old RouterOS versions to what you are referring to.

Ape · October 23, 2017, 12:55pm

Hi emils,

thank you very much for your answer.

In fact I was looking for the flag in the SA table.
Is there a possibility to check if PFS is used for the established SAs?

I used

/ip ipsec installed-sa print detail

which gives quite a lot of details but no indication if PFS is used or not.

Regards,
Ape

emils · October 24, 2017, 11:48am

There is no way to monitor PFS status. If it is configured under IPsec proposal, it is definitely used.

Ape · October 24, 2017, 12:52pm

Hi,

thank you for your response!
Good to know.

Any chance to get the ability to see the PFS status in future ROS versions?
I’m okay with your answer but I know for sure some people (customers for example) want to see if PFS is “really” working.

Regards,
Ape