[Swan] question about pfsgroup
Xinwei Hong
xhong at skytap.com
Fri Mar 30 22:03:36 UTC 2018
Ping...
Can anybody confirm the behavior? Or if I'm doing something wrong, I'd like
to know.
I see the similar behavior with racoon. But looks like Cisco is doing
differently, according to this page.
https://www.speaknetworks.com/what-is-ipsec-vpn-pfs-perfect-forward-secrecy/
Thanks,
Xinwei
On Thu, Mar 29, 2018 at 5:05 PM, Xinwei Hong <xhong at skytap.com> wrote:
> Hi
>
> If we have pfsgroup in phase2alg, ipsec will use it in ESP, e.g.
> phase2alg=aes128-sha1;modp1536
>
> If we don't have it, e.g phase2alg=aes128-sha1, ipsec will use the DH
> group from phase 1 as pfsgroup.
>
> How do I tell ipsec to not use any pfsgroup? I tried "pfs=no", however, if
> the remote peer has pfsgroup, it will still accept the request. sound like
> it follows what the spec says:
>
> pfs
>
> whether Perfect Forward Secrecy of keys is desired on the connection*(Aqs
> keying channel (with PFS, penetration of the key-exchange protocol does not
> compromise keys negotiated earlier); Since there is no reason to ever
> refuse PFS, Libreswan will allow a connection defined with pfs=no to use
> PFS anyway. Acceptable values are yes (the default) and no.
>
> Also, if both ends have totally different pfsgroup, libreswan can
> establish connection between two peers and both side seems have different
> settings.
>
> Why it still works when both end mismatches? Do we need to care about
> pfsgroup at all? This is the case between two libreswan. When connecting to
> other VPN stack, mismatch sometimes does not work.
>
>
> Thanks,
> Xinwei
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180330/fd4746ab/attachment.html>
More information about the Swan
mailing list