<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi, Nick<br>
<br>
So, If far side proposes no pfs, I must set pfs=no in my side, is
it right?<br>
<br>
<br>
On 2012-10-21 20:54, Nick Howitt wrote:<br>
</div>
<blockquote cite="mid:5083F09E.6000504@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
No, it is the other way round. If you set pfs=no, then if the far
side proposes pfs your side will use pfs anyway. If you set
pfs=yes then if the far side proposes no pfs the connection will
fail. If you set pfs=yes and the far side proposes pfs then pfs
will be used.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 21/10/2012 12:57, Patrick Naubert
wrote:<br>
</div>
<blockquote
cite="mid:386E24B7-7A20-469F-899C-5AC48A91A33B@xelerance.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Rescued from the Spam bucket. Please remember to register to
the mailing list before posting to it.<br>
<div><br>
<div>Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"><span style="color:
rgb(127, 127, 127); "><b>From: </b></span>Sury Bu <<a
moz-do-not-send="true" href="mailto:bushurui@gmail.com">bushurui@gmail.com</a>></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"><span
style="font-family:'Helvetica'; font-size:medium;
color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span
style="font-family:'Helvetica'; font-size:medium;"><b>Question
about PFS</b><br>
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"><span
style="font-family:'Helvetica'; font-size:medium;
color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span
style="font-family:'Helvetica'; font-size:medium;">21
October, 2012 8:03:05 AM EDT<br>
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"><span
style="font-family:'Helvetica'; font-size:medium;
color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span
style="font-family:'Helvetica'; font-size:medium;"><a
moz-do-not-send="true"
href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
</span></div>
<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div bgcolor="#FFFFFF" text="#000000"> Hi, all<br>
<br>
In ipsec.conf manual page, it said "<font color="#ff0000">Openswan
will allow a connection defined with pfs=no to use PFS
anyway</font>." <br>
<br>
With my understand it means if pfs=no set in our side,
then remote side must use PFS.<br>
<br>
And if pfs=yes in our side, then remote side can use PFS
or not use PFS.<br>
<br>
But if I set pfs=yes, when I use ipsec auto --status
command, I find the policy will display +PFS+ as below:<br>
<i><br>
</i><i>000 "ewelltouh": myip=172.16.66.254;
hisip=unset;</i><i><br>
</i><i>000 "ewelltouh": ike_life: 28800s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0</i><i><br>
</i><i>000 "ewelltouh": </i><i><font color="#ff0000">policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;</font></i><i><br>
</i><i>000 "ewelltouh": dpd: action:clear; delay:0;
timeout:0;</i><i><br>
</i><i>000 "ewelltouh": newest ISAKMP SA: #0; newest
IPsec SA: #0;</i><i><br>
</i><i>000 "ewelltouh": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict</i><i><br>
</i><i>000 "ewelltouh": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)</i><i><br>
</i><i>000 "ewelltouh": ESP algorithms wanted:
AES(12)_256-MD5(1)_000; flags=-strict</i><i><br>
</i><i>000 "ewelltouh": ESP algorithms loaded:
AES(12)_256-MD5(1)_128</i><i><br>
</i><i>000</i><i><br>
</i><i>000 #34: "ewelltouh":500 STATE_QUICK_I1 (sent QI1,
expecting QR1); EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq
in:0 out:0); idle; import:admin initiate</i><br>
<br>
And if I set pfs=no, PFS not appeared anymore, Is the
manual page write in wrong way? And if remote side not use
PFS, I must set pfs=yes?<br>
<i><br>
</i><i>000 "ewelltouh":
172.16.66.254/32===115.238.69.227<115.238.69.227>[+S=C]---115.238.69.227...115.238.69.225---202.123.80.227<202.123.80.227>[+S=C]:1/0===192.168.248.78/32;
unrouted; eroute owner: #0</i><i><br>
</i><i>000 "ewelltouh": myip=172.16.66.254;
hisip=unset;</i><i><br>
</i><i>000 "ewelltouh": ike_life: 28800s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0</i><i><br>
</i><i>000 "ewelltouh": </i><i><font color="#ff0000">policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;</font></i><i><br>
</i><i>000 "ewelltouh": dpd: action:clear; delay:0;
timeout:0;</i><i><br>
</i><i>000 "ewelltouh": newest ISAKMP SA: #0; newest
IPsec SA: #0;</i><i><br>
</i><i>000 "ewelltouh": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict</i><i><br>
</i><i>000 "ewelltouh": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)</i><i><br>
</i><i>000 "ewelltouh": ESP algorithms wanted:
AES(12)_256-MD5(1)_000; flags=-strict</i><i><br>
</i><i>000 "ewelltouh": ESP algorithms loaded:
AES(12)_256-MD5(1)_128</i><i><br>
</i><i>000</i><i><br>
</i><i>000 #2: "ewelltouh":500 STATE_QUICK_I1 (sent QI1,
expecting QR1); EVENT_RETRANSMIT in 25s; lastdpd=-1s(seq
in:0 out:0); idle; import:admin initiate</i><i><br>
</i><i>000</i><br>
<br>
Thanks,<br>
Sury Bu<br>
<br>
<br>
</div>
<br>
<br>
</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>