[strongSwan] PfsGroup

Christopher Bachner hello at chrisbox.org
Mon Feb 19 17:32:23 CET 2018

Hi Guys,

I am somewhat new to IPSec.

In Windows 10 I am trying to set proper encryption-/integrity algorithm:

Set-VpnConnectionIPsecConfiguration -ConnectionName "..." -AuthenticationTransformConstan
ts SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None

Now, as you can see, I *have to* set PfsGroup to none, because if I do not then my IPsec Tunnel breaks apart eventually. The server will say "no acceptable diffie hellman group found." I am assuming that Windows is trying to do PFS which strongswan can't (?).

Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under "Removed parameters (since 5.0.0)":


Is PfsGroup None unsafe?



More information about the Users mailing list