<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I'd also like someone to clarify this question. From what I
understand currently, using EDH for IKE_SA is a PFS as it is in
"usual" SSL/TLS (e.g. in HTTPS) — you'll get new EDH key for every
new IKE_SA negotiation.<br>
But EDH in CHILD_SA is what you would call "key rotation". If you
use EDH in CHILD_CA, you'll get new EDH key every rekey, i.e. every
hour or so.<br>
Is this correct?<br>
<br>
<div class="moz-cite-prefix">On 03/01/2016 02:55 PM, John Brown
wrote:<br>
</div>
<blockquote
cite="mid:CAMCukfXkDZUjkdk0WsK9Vb6QmnjE3DMcL3UafUQ2GNnJZowusw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><span class="im">
<div>
<div>Hi, <br>
</div>
<br>
</div>
I can give you two links with some small amount
information about your question:<br>
<br>
</span><a moz-do-not-send="true"
href="http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html"
target="_blank">http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html</a><br>
<br>
</div>
and <br>
<br>
<a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS"
target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS</a><br>
<br>
</div>
<br>
</div>
Regards,<br>
<br>
</div>
John</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-03-01 11:23 GMT+01:00 Harald
Dunkel <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ@public.gmane.org"
target="_blank">harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ@public.gmane.org</a>></span>:<br>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>