Hi Chris, > Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under > "Removed parameters (since 5.0.0)":
DH groups for IPsec SAs are configured differently for IKEv2 and since 5.0.0 also for IKEv1. They are added to ESP/AH proposals (esp/ah setting in ipsec.conf). If you currently don't have any configured then use `none` on Windows. However, if you want to use a separate DH exchange when rekeying CHILD_SAs then configure a matching DH group on both ends. Regards, Tobias
