[strongSwan] seeking advice: pfs on creating a child_sa?
Harald Dunkel
harald.dunkel at aixigo.de
Fri Mar 4 09:18:54 CET 2016
Hi John,
On 03/01/2016 12:55 PM, John Brown wrote:
> Hi,
>
> I can give you two links with some small amount information about your question:
>
> http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
>
> and
>
> https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS
>
I saw the wiki article before, of course. Point is that some
implementations don't support PFS for phase 2, including the
iphones (at least for IKEv1), Windows(7?, 10?) and even
charon-nm. Since I made PFS optional for phase 2 in our road
warrior setup on the server a lot of "broken connection after
an hour or so" problems went away.
AFAIU PFS provides a means to create a symmetric key on both
peers without exchanging anything secret over a (possibly
unprotected or compromised) communication line. I am not sure
if this is an issue for phase 2. Is it?
Regards
Harri
More information about the Users
mailing list