I'd also like someone to clarify this question. From what I understand currently, using EDH for IKE_SA is a PFS as it is in "usual" SSL/TLS (e.g. in HTTPS) — you'll get new EDH key for every new IKE_SA negotiation. But EDH in CHILD_SA is what you would call "key rotation". If you use EDH in CHILD_CA, you'll get new EDH key every rekey, i.e. every hour or so. Is this correct?
On 03/01/2016 02:55 PM, John Brown wrote: > Hi, > > I can give you two links with some small amount information about your > question: > > http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html > > and > > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS > > > Regards, > > John > > 2016-03-01 11:23 GMT+01:00 Harald Dunkel > <harald.dunkel-N2c6Q/boouszqb+pc5n...@public.gmane.org > <mailto:harald.dunkel-N2c6Q/boouszqb+pc5n...@public.gmane.org>>: > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
