[strongSwan] Support of PFS for IKE SA
Tobias Brunner
tobias at strongswan.org
Tue Mar 11 15:44:16 CET 2014
Hi Arun,
The pfs option has no effect on IKEv2 connections. It's an option used
by the legacy IKEv1 daemon pluto, where it only affected Quick Mode SAs
because ISAKMP SAs are always reestablished from scratch, so there
always is a DH exchange.
IKEv2 does support inline rekeying of IKE_SAs (reauth=no, rekey=yes) and
there is always a DH exchange when doing so (see [1]). To do a DH
exchange when rekeying CHILD_SAs with IKEv2 (or IKEv1 since 5.x) you
have to configure at least one DH group in the esp cipher suite as you
already have in your config.
Regards,
Tobias
[1] http://tools.ietf.org/html/rfc5996#section-2.18
More information about the Users
mailing list