VPN: Can't customize PFS Group in Phase 2

[karaman]

Hi,

OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
OpenSSL 1.0.2q 20 Nov 2018
strongswan 5.7.1

When connecting a VPN, the following message appears:

Dec 3 13:48:08
charon: 09[CFG] <con1|52> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Dec 3 13:48:08
charon: 09[CFG] <con1|52> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ

Config:

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 37.xx.xx.xx
  right = 78.xx.xx.xx
  leftid = 37.xx.xx.xx
  ikelifetime = 108000s
  lifetime = 28800s
  ike = aes256-sha256-modp2048,aes256-sha1-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 78.xx.xx.xx
  rightsubnet = 10.xx.xx.0/24
  leftsubnet = 192.xx.xx.0/24
  esp = aes256-sha1-modp1024,aes256-sha256-modp1024!
  auto = add

However, in the phase 2 of the VPN connection, the PFS group was set to "Group 14" via the OPNsense web interface. But, in the configuration file stays always "esp = aes256-sha1-modp1024, aes256-sha256-modp1024!".

Any Solution?

[franco]

Is this a mobile setup? Check VPN: IPsec: Mobile Clients as it has a separate PFS setting.


Cheers,
Franco

[karaman]

Hi,

no its no mobile configuration.
see screenshot.

[mimugmail]

I can't reproduce on a 18.7.8 .. have you switched browsers?

[karaman]

Yes... We tried 3 Browser...

[franco]

I'm not sure why "Is this a mobile setup? Check VPN: IPsec: Mobile Clients as it has a separate PFS setting." was ignored.

https://forum.opnsense.org/index.php?topic=10498.msg48068#msg48068

But okay