[Swan] question about pfsgroup
Xinwei Hong
xhong at skytap.com
Fri Mar 30 00:05:47 UTC 2018
Hi
If we have pfsgroup in phase2alg, ipsec will use it in ESP, e.g.
phase2alg=aes128-sha1;modp1536
If we don't have it, e.g phase2alg=aes128-sha1, ipsec will use the DH group
from phase 1 as pfsgroup.
How do I tell ipsec to not use any pfsgroup? I tried "pfs=no", however, if
the remote peer has pfsgroup, it will still accept the request. sound like
it follows what the spec says:
pfs
whether Perfect Forward Secrecy of keys is desired on the connection*(Aqs
keying channel (with PFS, penetration of the key-exchange protocol does not
compromise keys negotiated earlier); Since there is no reason to ever
refuse PFS, Libreswan will allow a connection defined with pfs=no to use
PFS anyway. Acceptable values are yes (the default) and no.
Also, if both ends have totally different pfsgroup, libreswan can establish
connection between two peers and both side seems have different settings.
Why it still works when both end mismatches? Do we need to care about
pfsgroup at all? This is the case between two libreswan. When connecting to
other VPN stack, mismatch sometimes does not work.
Thanks,
Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180329/16f99e53/attachment.html>
More information about the Swan
mailing list