Hi Victor, Probably means ... 1) master key pfs: rekey/reauth the IKE_SA every time a new CHILD_SA is negotiated 2) session key pfs: use an (EC)DHE KEX when negotiating new CHILD_SAs.
To be sure we'd need to test those cases and look at what it does differently. Kind regards Noel Am 20.01.20 um 08:14 schrieb Victor Sudakov: > Victor Sudakov wrote: >> Tobias Brunner wrote: >>> >>>> esp=3des-sha1! >>> >>> PFS is enabled if you add a DH group to the ESP proposal. >> >> I suspected that, but Windows offers two knobs which can be enabled >> independently, that's the confusion. >> >> Here is what I've been able to gather from some Windows networking >> cookbooks about those knobs: >> http://admin.sibptus.ru/~vas/SessionVsMasterPFS.png > > So, does anyone have an idea what those knobs could mean to Strongswan > while selected/deselected in Windows independently from each other? >
signature.asc
Description: OpenPGP digital signature
