[Openswan Users] Regarding the PFS

Paul Wouters paul at xelerance.com
Fri Jan 20 05:52:21 CET 2006

On Fri, 20 Jan 2006, Shi Lang wrote:

> I am wondering the PFS in Openswan is IKE PFS or IPsec PFS?

AFAIK, pfs is either disabled or active for both.

> How to test and verify it that PFS is really working.

You should see whether pfs is in use in the SA Estbalihed lines.
If you want to confirm it is working, you could use plutodebug=
and klipsdebug= to check the messages.

Note that openswan still accepts PFS in the proposal even with
pfs=no (because there is no reason to refuse it even when it
wasn't announced by the other peer).


More information about the Users mailing list