Hi Emeric On 08/01/2014 04:05 PM, Emeric POUPON wrote: > Hello, > > I have some problems enabling PFS on the CHILD SA. > I'm using strongswan 5.2.0 on FreeBSD. > > Here are the site configurations: looks good. However [1], the IKE_AUTH exchange responsible for establishing the *first* CHILD_SA does not include a key exchange (KE), whereas [2], the CREATE_CHILD_SA exchange responsible for creating (subsequent), or rekeying children, does include an (optional) key exchange ([KE]). If you wait for the configured keylife of <=60 minutes, you should see a rekeying of the CHILD_SA take place, including the configured PFS-group.
Cheers, Thomas [1] http://tools.ietf.org/html/rfc5996#appendix-C.2 [2] http://tools.ietf.org/html/rfc5996#appendix-C.4 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
