[strongSwan] PfsGroup
Tobias Brunner
tobias at strongswan.org
Tue Feb 20 14:17:38 CET 2018
Hi Chris,
> Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under "Removed parameters (since 5.0.0)":
DH groups for IPsec SAs are configured differently for IKEv2 and since
5.0.0 also for IKEv1. They are added to ESP/AH proposals (esp/ah
setting in ipsec.conf). If you currently don't have any configured then
use `none` on Windows. However, if you want to use a separate DH
exchange when rekeying CHILD_SAs then configure a matching DH group on
both ends.
Regards,
Tobias
More information about the Users
mailing list