[Swan] question about pfsgroup

Paul Wouters paul at nohats.ca
Mon Apr 23 22:11:04 UTC 2018


On Mon, 23 Apr 2018, Andrew Cagney wrote:

>>>> Apr  2 20:24:13 vvr-10-69-244-19 pluto[18354]: vpn-5653427: "conn_vpn-5653427-tunnel-VPNRemoteRoutedSubnet-tunnel-10.30.0.0/16" #5: initiating Quick Mode
>
> Something flipped the PFS bit, causing the re-key to request a DH exchange!

That is a little odd. I'll investigate.

> My hunch is that pfs_group applies to connections racoon initiates.
> As a responder, it is happy to go with what ever was proposed.

Yes, a number of implementations reason that "PFS is always better", so
if configured to not use it, but the other endpoint can do it, they opt
to do it as well.

Paul


More information about the Swan mailing list