[strongSwan] IPSec Configuration - IKEv1 with PFS
Newton, Benjamin David
bdnewto at sandia.gov
Thu Jan 25 01:26:09 CET 2018
I am trying to set up a site-to-site VPN using StrongSwan. The requirements for the VPN are:
? Encapsulation Security Payload (ESP)
? Encryption: AES-256
? Authentication: SHA-1
? IPSec / IKE Authentication: Pre-shared secret and digital certificate
? IKE: Version 1
? IKE phase 1: Diffie-Hellman group 5
? Perfect Forward Secrecy (PFS): Diffie-Hellman group 1
? Pre-shared secret key
I have the following as a start in my ipsec.conf file
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha1-modp1536
esp=aes256-sha1-modp1536
authby=secret
However, I don't know how to specify the Perfect Forward Secrecy (PFS) as DH group 1.
I'm also uncertain if the other entries are correct for the requirements above. (Do I need to specify the digital certificate?) (Do I need both an ike and esp line?)
Any suggestions, or help would be greatly appreciated.
Thanks,
Ben Newton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180125/6e0b074b/attachment.html>
More information about the Users
mailing list