[strongSwan] strict Flags and PFS
Martin Willi
martin at strongswan.org
Tue Aug 3 10:19:08 CEST 2010
Hi Eduardo,
> esp=null-sha1-modp8192!
> ike=aes128-sha-modp1024!
> For both scenarios the CHILD SA is created (with no PFS).
Did you create the CHILD_SA in an additional CREATE_CHILD_SA exchange?
If the CHILD_SA is set up along with the initial IKE_AUTH exchange,
there is no way to do a separate DH exchange for the CHILD_SA in IKEv2.
This hardly makes sense, as we just did a DH exchange during
IKE_SA_INIT.
The DH group in the esp= parameter is ignored for the initial setup. The
DH group is only used for later CHILD_SA setups or rekeyings using a
CREATE_CHILD_SA exchange.
Regards
Martin
More information about the Users
mailing list