[strongSwan] Windows IKE and PFS settings

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 20 13:23:22 CET 2020

Hi Victor,

Probably means ...
1) master key pfs: rekey/reauth the IKE_SA every time a new CHILD_SA is negotiated
2) session key pfs: use an (EC)DHE KEX when negotiating new CHILD_SAs.

To be sure we'd need to test those cases and look at what it does differently.

Kind regards


Am 20.01.20 um 08:14 schrieb Victor Sudakov:
> Victor Sudakov wrote:
>> Tobias Brunner wrote:
>>>>     esp=3des-sha1!
>>> PFS is enabled if you add a DH group to the ESP proposal.
>> I suspected that, but Windows offers two knobs which can be enabled independently, that's the confusion.
>> Here is what I've been able to gather from some Windows networking
>> cookbooks about those knobs: http://admin.sibptus.ru/~vas/SessionVsMasterPFS.png
> So, does anyone have an idea what those knobs could mean to Strongswan
> while selected/deselected in Windows independently from each other?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200120/759c22a4/attachment.sig>

More information about the Users mailing list