Hi, > So why strongswan is always using PFS for ike_sa rekeying?
It was optional in RFC4306, but recommended to use. In IKEv2bis it is not optional anymore, the KE payload is required (see [1]). > Can i disable that in some way? No, strongSwan does not support IKE_SA rekeying without DH exchange. Regards Martin [1]http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis-03#section-1.3.2 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users