Hi Arun, The pfs option has no effect on IKEv2 connections. It's an option used by the legacy IKEv1 daemon pluto, where it only affected Quick Mode SAs because ISAKMP SAs are always reestablished from scratch, so there always is a DH exchange.
IKEv2 does support inline rekeying of IKE_SAs (reauth=no, rekey=yes) and there is always a DH exchange when doing so (see [1]). To do a DH exchange when rekeying CHILD_SAs with IKEv2 (or IKEv1 since 5.x) you have to configure at least one DH group in the esp cipher suite as you already have in your config. Regards, Tobias [1] http://tools.ietf.org/html/rfc5996#section-2.18 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
