[strongSwan] PfsGroup
Christopher Bachner
hello at chrisbox.org
Mon Feb 19 17:32:23 CET 2018
Hi Guys,
I am somewhat new to IPSec.
In Windows 10 I am trying to set proper encryption-/integrity algorithm:
Set-VpnConnectionIPsecConfiguration -ConnectionName "..." -AuthenticationTransformConstan
ts SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None
Now, as you can see, I *have to* set PfsGroup to none, because if I do not then my IPsec Tunnel breaks apart eventually. The server will say "no acceptable diffie hellman group found." I am assuming that Windows is trying to do PFS which strongswan can't (?).
Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under "Removed parameters (since 5.0.0)":
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
Is PfsGroup None unsafe?
Thanks!
-Chris
More information about the Users
mailing list