[Openswan Users] Question about PFS

Sury Bu bushurui at gmail.com
Sun Oct 21 09:37:16 EDT 2012 

Hi, Nick

So, If far side proposes no pfs, I must set pfs=no in my side, is it right?


On 2012-10-21 20:54, Nick Howitt wrote:
> No, it is the other way round. If you set pfs=no, then if the far side 
> proposes pfs your side will use pfs anyway. If you set pfs=yes then if 
> the far side proposes no pfs the connection will fail. If you set 
> pfs=yes and the far side proposes pfs then pfs will be used.
>
> Nick
>
> On 21/10/2012 12:57, Patrick Naubert wrote:
>> Rescued from the Spam bucket.  Please remember to register to the 
>> mailing list before posting to it.
>>
>> Begin forwarded message:
>>
>> *From: *Sury Bu <bushurui at gmail.com <mailto:bushurui at gmail.com>>
>> *Subject: **Question about PFS*
>> *Date: *21 October, 2012 8:03:05 AM EDT
>> *To: *users at lists.openswan.org <mailto:users at lists.openswan.org>
>>
>>
>> Hi, all
>>
>> In ipsec.conf manual page, it said "Openswan will allow a connection 
>> defined with pfs=no to use PFS anyway."
>>
>> With my understand it means if pfs=no set in our side, then  remote 
>> side must use PFS.
>>
>> And if pfs=yes in our side, then remote side can use PFS or not use PFS.
>>
>> But if I set pfs=yes, when I use ipsec auto --status command, I find 
>> the policy will display +PFS+ as below:
>> /
>> //000 "ewelltouh":     myip=172.16.66.254; hisip=unset;//
>> //000 "ewelltouh":   ike_life: 28800s; ipsec_life: 3600s; 
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0//
>> //000 "ewelltouh": //policy: 
>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 
>> 32,32; interface: eth0;//
>> //000 "ewelltouh":   dpd: action:clear; delay:0; timeout:0;//
>> //000 "ewelltouh":   newest ISAKMP SA: #0; newest IPsec SA: #0;//
>> //000 "ewelltouh":   IKE algorithms wanted: 
>> AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict//
>> //000 "ewelltouh":   IKE algorithms found: 
>> AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)//
>> //000 "ewelltouh":   ESP algorithms wanted: AES(12)_256-MD5(1)_000; 
>> flags=-strict//
>> //000 "ewelltouh":   ESP algorithms loaded: AES(12)_256-MD5(1)_128//
>> //000//
>> //000 #34: "ewelltouh":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
>> EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0); idle; 
>> import:admin initiate/
>>
>> And if I set pfs=no, PFS not appeared anymore, Is the manual page 
>> write in wrong way? And if remote side not use PFS, I must set pfs=yes?
>> /
>> //000 "ewelltouh": 
>> 172.16.66.254/32===115.238.69.227<115.238.69.227>[+S=C]---115.238.69.227...115.238.69.225---202.123.80.227<202.123.80.227>[+S=C]:1/0===192.168.248.78/32; 
>> unrouted; eroute owner: #0//
>> //000 "ewelltouh":     myip=172.16.66.254; hisip=unset;//
>> //000 "ewelltouh":   ike_life: 28800s; ipsec_life: 3600s; 
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0//
>> //000 "ewelltouh": //policy: 
>> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; 
>> interface: eth0;//
>> //000 "ewelltouh":   dpd: action:clear; delay:0; timeout:0;//
>> //000 "ewelltouh":   newest ISAKMP SA: #0; newest IPsec SA: #0;//
>> //000 "ewelltouh":   IKE algorithms wanted: 
>> AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict//
>> //000 "ewelltouh":   IKE algorithms found: 
>> AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)//
>> //000 "ewelltouh":   ESP algorithms wanted: AES(12)_256-MD5(1)_000; 
>> flags=-strict//
>> //000 "ewelltouh":   ESP algorithms loaded: AES(12)_256-MD5(1)_128//
>> //000//
>> //000 #2: "ewelltouh":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
>> EVENT_RETRANSMIT in 25s; lastdpd=-1s(seq in:0 out:0); idle; 
>> import:admin initiate//
>> //000/
>>
>> Thanks,
>> Sury Bu
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121021/d8a0f183/attachment-0001.html>

More information about the Users mailing list