Problems enabling Perfect Forward Secrecy with IPSEC

achelon · Mon Dec 30, 2013 11:31 pm

Hi,

I am configuring a VPN server using IPSEC/L2TP. The setup works fine with the exception that PFS does not appear to work - The generated security associations of an established vpn connection do not have the P flag set e.g.:

Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x89A099A src-address=X.X.X.X dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key="removed"
      enc-key="removed" addtime=dec/30/2013 20:15:18 expires-in=28m53s add-lifetime=24m/30m current-bytes=18458

 1 E  spi=0xA78E4A0 src-address=X.X.X.X dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key="removed"
      enc-key="removed" addtime=dec/30/2013 20:15:18 expires-in=28m53s add-lifetime=24m/30m current-bytes=17781

I have configured the PFS group in the proposal on both the client (racoon) and Mikrotik. E.g.:

Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048

Has anyone managed to get PFS working over IPSEC?

Regards,
Achelon

Problems enabling Perfect Forward Secrecy with IPSEC

Problems enabling Perfect Forward Secrecy with IPSEC

Who is online