[Openswan Users] DH2 with no PFS in Phase 2
Peter McGill
petermcgill at goco.net
Wed Aug 23 09:37:45 EDT 2006
> How do I define in ipsec.conf to use Diffie Hellman Key Group 2 (1024
> bit) in the first phase and no PFS in the second phase.
Very simply:
ipsec.conf:
conn your-conn-name
# note specifing the whole line below allows all options specified but prefers the first
# you can simply it by only specifing one of the comma separated options
# DH Group 5 (1536) is also supported in the same way, and is a better choice if both sides support
ike=aes128-sha1-modp1024,aes128-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
pfs=no # note if both sides support pfs, it's better to have it on
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users
mailing list