On 2013-09-12, Andy <a...@brandwatch.com> wrote: > In addition to using isakmpd debug 'isakmpd -D A=99 -d' > > You also need to configure the policies in ipsec.conf to use 'dynamic' > and not any of the other manual modes (man ipsec.conf) "The dynamic mode > will additionally enable Dead Peer Detection (DPD) and use > the > local hostname as the identity of the local peer, if not > specified > by the srcid parameter." > > Dynamic is required to negotiate PFS with the other side I believe.
"Dynamic" is not needed, but IKE is needed (i.e. not manual flows).