[strongSwan] Windows IKE and PFS settings
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 20 13:23:22 CET 2020
Hi Victor,
Probably means ...
1) master key pfs: rekey/reauth the IKE_SA every time a new CHILD_SA is negotiated
2) session key pfs: use an (EC)DHE KEX when negotiating new CHILD_SAs.
To be sure we'd need to test those cases and look at what it does differently.
Kind regards
Noel
Am 20.01.20 um 08:14 schrieb Victor Sudakov:
> Victor Sudakov wrote:
>> Tobias Brunner wrote:
>>>
>>>> esp=3des-sha1!
>>>
>>> PFS is enabled if you add a DH group to the ESP proposal.
>>
>> I suspected that, but Windows offers two knobs which can be enabled independently, that's the confusion.
>>
>> Here is what I've been able to gather from some Windows networking
>> cookbooks about those knobs: http://admin.sibptus.ru/~vas/SessionVsMasterPFS.png
>
> So, does anyone have an idea what those knobs could mean to Strongswan
> while selected/deselected in Windows independently from each other?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200120/759c22a4/attachment.sig>
More information about the Users
mailing list