[Openswan Users] Regarding the PFS

Shi Lang shilang at greenpacket.com
Fri Jan 20 14:55:59 CET 2006

Thanks Paul.

Because I saw windows can configure either IKE PFS or IPSEC PFS or both.


Shi Lang
Quality Assurance Engineer
GreenPacket Bhd

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, January 20, 2006 12:52 PM
To: Shi Lang
Cc: users at openswan.org
Subject: Re: [Openswan Users] Regarding the PFS

On Fri, 20 Jan 2006, Shi Lang wrote:

> I am wondering the PFS in Openswan is IKE PFS or IPsec PFS?

AFAIK, pfs is either disabled or active for both.

> How to test and verify it that PFS is really working.

You should see whether pfs is in use in the SA Estbalihed lines.
If you want to confirm it is working, you could use plutodebug=
and klipsdebug= to check the messages.

Note that openswan still accepts PFS in the proposal even with
pfs=no (because there is no reason to refuse it even when it
wasn't announced by the other peer).


More information about the Users mailing list