<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    I'd also like someone to clarify this question. From what I
    understand currently, using EDH for IKE_SA is a PFS as it is in
    "usual" SSL/TLS (e.g. in HTTPS)  you'll get new EDH key for every
    new IKE_SA negotiation.<br>
    But EDH in CHILD_SA is what you would call "key rotation". If you
    use EDH in CHILD_CA, you'll get new EDH key every rekey, i.e. every
    hour or so.<br>
    Is this correct?<br>
    <br>
    <div class="moz-cite-prefix">On 03/01/2016 02:55 PM, John Brown
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAMCukfXkDZUjkdk0WsK9Vb6QmnjE3DMcL3UafUQ2GNnJZowusw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div><span class="im">
                  <div>
                    <div>Hi, <br>
                    </div>
                    <br>
                  </div>
                  I can give you two links with some small amount
                  information about your question:<br>
                  <br>
                </span><a moz-do-not-send="true"
href="http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html"
                  target="_blank">http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html</a><br>
                <br>
              </div>
              and <br>
              <br>
              <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS"
                target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS</a><br>
              <br>
            </div>
            <br>
          </div>
          Regards,<br>
          <br>
        </div>
        John</div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2016-03-01 11:23 GMT+01:00 Harald
          Dunkel <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ@public.gmane.org"
              target="_blank">harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ@public.gmane.org</a>></span>:<br>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
  </body>
</html>