I am trying to set up a site-to-site VPN using StrongSwan. The requirements
for the VPN are:
? Encapsulation Security Payload (ESP)
? Encryption: AES-256
? Authentication: SHA-1
? IPSec / IKE Authentication: Pre-shared secret and digital certificate
? IKE: Version 1
? IKE phase 1: Diffie-Hellman group 5
? Perfect Forward Secrecy (PFS): Diffie-Hellman group 1
? Pre-shared secret key
I have the following as a start in my ipsec.conf file
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha1-modp1536
esp=aes256-sha1-modp1536
authby=secret
However, I don't know how to specify the Perfect Forward Secrecy (PFS) as DH
group 1.
I'm also uncertain if the other entries are correct for the requirements above.
(Do I need to specify the digital certificate?) (Do I need both an ike and
esp line?)
Any suggestions, or help would be greatly appreciated.
Thanks,
Ben Newton
