[Openswan Users] Question about PFS

Patrick Naubert patrickn at xelerance.com
Sun Oct 21 07:57:55 EDT 2012 

Rescued from the Spam bucket.  Please remember to register to the mailing list before posting to it.

Begin forwarded message:

From: Sury Bu <bushurui at gmail.com>
Subject: Question about PFS
Date: 21 October, 2012 8:03:05 AM EDT
To: users at lists.openswan.org


Hi, all

In ipsec.conf manual page, it said "Openswan will allow a connection defined with pfs=no to use PFS anyway." 

With my understand it means if pfs=no set in our side, then  remote side must use PFS.

And if pfs=yes in our side, then remote side can use PFS or not use PFS.

But if I set pfs=yes, when I use ipsec auto --status command, I find the policy will display +PFS+ as below:

000 "ewelltouh":     myip=172.16.66.254; hisip=unset;
000 "ewelltouh":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ewelltouh":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "ewelltouh":   dpd: action:clear; delay:0; timeout:0;
000 "ewelltouh":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ewelltouh":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "ewelltouh":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "ewelltouh":   ESP algorithms wanted: AES(12)_256-MD5(1)_000; flags=-strict
000 "ewelltouh":   ESP algorithms loaded: AES(12)_256-MD5(1)_128
000
000 #34: "ewelltouh":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

And if I set pfs=no, PFS not appeared anymore, Is the manual page write in wrong way? And if remote side not use PFS, I must set pfs=yes?

000 "ewelltouh": 172.16.66.254/32===115.238.69.227<115.238.69.227>[+S=C]---115.238.69.227...115.238.69.225---202.123.80.227<202.123.80.227>[+S=C]:1/0===192.168.248.78/32; unrouted; eroute owner: #0
000 "ewelltouh":     myip=172.16.66.254; hisip=unset;
000 "ewelltouh":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ewelltouh":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "ewelltouh":   dpd: action:clear; delay:0; timeout:0;
000 "ewelltouh":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ewelltouh":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "ewelltouh":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "ewelltouh":   ESP algorithms wanted: AES(12)_256-MD5(1)_000; flags=-strict
000 "ewelltouh":   ESP algorithms loaded: AES(12)_256-MD5(1)_128
000
000 #2: "ewelltouh":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 25s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

Thanks,
Sury Bu





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121021/62d1540c/attachment.html>

More information about the Users mailing list