[Openswan Users] Different PFS setting but can connect success

Peter McGill petermcgill at goco.net
Wed Dec 19 12:49:22 EST 2007 

But really, why would you want to disable it, if your successfully connecting, since it increases security!
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Gbenga
Sent: December 19, 2007 9:44 AM
To: users at lists.openswan.org
Cc: Argon_Cheng at sdc.sercomm.com
Subject: Re: [Openswan Users] Different PFS setting but can connect success


set pfs=no on both sides. this ensures that neither of the vpn server request pfs.
 
Rgds,


----- Original Message ----
From: "Argon_Cheng at sdc.sercomm.com" <Argon_Cheng at sdc.sercomm.com>
To: users at openswan.org
Sent: Wednesday, 19 December, 2007 1:29:58 PM
Subject: Re: [Openswan Users] Different PFS setting but can connect success


Hi, 
        Is there anybody knows how to disable this feature?, I means, do not use PFS feature if I disable it. 
        
Best Regards
Argon Cheng
TEL: 86-512-67612332 ext: 1220 



	Ruben Laban <r.laban at ism.nl> 
寄件人: users-bounces at openswan.org 


2007-12-19 16:40 

        
        收件人:        users at openswan.org 
        副本抄送:         
        主旨:        Re: [Openswan Users] Different PFS setting but can connect success	



On Wednesday 19 December 2007, Argon_Cheng at sdc.sercomm.com wrote:
>         I have two VPN stations(using openswan 2.4.4). I set PFS disable
> in left station while PFS enable in right station. But these two stations
> can establish VPN connection success. Is there anyone know the reason?

>From the ipsec.conf manpage:

pfs

Whether Perfect Forward Secrecy of keys is desired on the connection's keying 
channel (with PFS, penetration of the key-exchange protocol does not 
compromise keys negotiated earlier); Since there is no reason to ever refuse 
PFS, Openswan will allow a connection defined with pfs=no to use PFS anyway. 
Acceptable values are yes (the default) and no.

Regards,
-- 
Ruben Laban
Systems and Network Administrator
r.laban at ism.nl
 
ISM eCompany
Van Nelleweg 1
Postbus 13043
3004 HA Rotterdam
+31 (0)10 243 6000 (tel)
+31 (0)10 243 6066 (fax)
www.ism.nl

Quality Solutions - Reliable Partner
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155




  _____  

Sent from Yahoo! <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=51949/*http://uk.docs.yahoo.com/mail/winter07.html>  - a smarter inbox.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071219/2bb5f036/attachment.html

More information about the Users mailing list