[Openswan Users] Cisco VPN connection

Andy Gay andy at andynet.net
Tue Aug 29 10:43:29 EDT 2006

On Tue, 2006-08-29 at 16:15 +0200, Paul Wouters wrote:
> On Tue, 29 Aug 2006, Andy Gay wrote:
> > Seems you need pfs=yes, AFAIK that's what "pfs group 2" means in the
> > Cisco.
> Luckilly, if openswan detects PFS, it will use it despite the pfs=no setting :)

That's OK if Openswan is the responder, but most (all?) other IPsec
implementations aren't so clever. If Openswan initiates, it'll use
what's configured, if that doesn't match the other end the negotiations
fail. I've had that problem many times.

More information about the Users mailing list