Hi Guys,

I am somewhat new to IPSec.

In Windows 10 I am trying to set proper encryption-/integrity algorithm:

Set-VpnConnectionIPsecConfiguration -ConnectionName "..." 
-AuthenticationTransformConstan
ts SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 
-IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None

Now, as you can see, I *have to* set PfsGroup to none, because if I do not then 
my IPsec Tunnel breaks apart eventually. The server will say "no acceptable 
diffie hellman group found." I am assuming that Windows is trying to do PFS 
which strongswan can't (?).

Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under 
"Removed parameters (since 5.0.0)":

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Is PfsGroup None unsafe?

Thanks!

-Chris
 

Reply via email to