[strongSwan] strict Flags and PFS

Martin Willi martin at strongswan.org
Tue Aug 3 10:19:08 CEST 2010

Hi Eduardo,

> esp=null-sha1-modp8192!
> ike=aes128-sha-modp1024!

> For both scenarios the CHILD SA is created (with no PFS).

Did you create the CHILD_SA in an additional CREATE_CHILD_SA exchange?

If the CHILD_SA is set up along with the initial IKE_AUTH exchange,
there is no way to do a separate DH exchange for the CHILD_SA in IKEv2.
This hardly makes sense, as we just did a DH exchange during

The DH group in the esp= parameter is ignored for the initial setup. The
DH group is only used for later CHILD_SA setups or rekeyings using a


More information about the Users mailing list