[strongSwan] PfsGroup
Christopher Bachner
hello at chrisbox.org
Tue Feb 20 17:06:54 CET 2018
Hi Tobias,
Thanks! Worked great!
-Chris
On Tue, Feb 20, 2018, at 14:17, Tobias Brunner wrote:
> Hi Chris,
>
> > Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under "Removed parameters (since 5.0.0)":
>
> DH groups for IPsec SAs are configured differently for IKEv2 and since
> 5.0.0 also for IKEv1. They are added to ESP/AH proposals (esp/ah
> setting in ipsec.conf). If you currently don't have any configured then
> use `none` on Windows. However, if you want to use a separate DH
> exchange when rekeying CHILD_SAs then configure a matching DH group on
> both ends.
>
> Regards,
> Tobias
More information about the Users
mailing list