Dear Colleagues, I'm setting up a transport mode IPSec connection between FreeBSD and Windows (10 and 2016). In the Windows IPSec GPO, there are two options (knobs) for PFS:
1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.jpg 2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_esp.jpg Which connection parameters in Strongswan do they correspond to? A simple Strongswan configuration is like this: conn Win2016 keyexchange = ikev1 ike=3des-sha1-modp2048! esp=3des-sha1! left=x.x.x.1 right=x.x.x.14 type=transport authby=psk auto=route It even works provided those two PFS knobs in Windows are unchecked. Please note that: 1. The DF group for IKE is configured separately in Windows, and can be set to 1, 2, or 2048 (this goes into the ike= parameter, I chose 2048 on both sides). 2. Windows cannot configure IKEv2 from GPO, only from PowerShell. I'm not quite ready for that yet, please do not advise to switch to IKEv2. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
