[Swan] question about pfsgroup
Paul Wouters
paul at nohats.ca
Mon Apr 23 22:11:04 UTC 2018
On Mon, 23 Apr 2018, Andrew Cagney wrote:
>>>> Apr 2 20:24:13 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #5: initiating Quick Mode
>
> Something flipped the PFS bit, causing the re-key to request a DH exchange!
That is a little odd. I'll investigate.
> My hunch is that pfs_group applies to connections racoon initiates.
> As a responder, it is happy to go with what ever was proposed.
Yes, a number of implementations reason that "PFS is always better", so
if configured to not use it, but the other endpoint can do it, they opt
to do it as well.
Paul
More information about the Swan
mailing list