Hi John, On 03/01/2016 12:55 PM, John Brown wrote: > Hi, > > I can give you two links with some small amount information about your > question: > > http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html > > and > > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS >
I saw the wiki article before, of course. Point is that some implementations don't support PFS for phase 2, including the iphones (at least for IKEv1), Windows(7?, 10?) and even charon-nm. Since I made PFS optional for phase 2 in our road warrior setup on the server a lot of "broken connection after an hour or so" problems went away. AFAIU PFS provides a means to create a symmetric key on both peers without exchanging anything secret over a (possibly unprotected or compromised) communication line. I am not sure if this is an issue for phase 2. Is it? Regards Harri _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
