You are going to see (if you debug the negotiations done by isakmpd) if both sides say they can use FPS, IIRC.
2013/9/12 Jeff Simmons <jsimm...@goblin.punk.net> > The man page for ipsec.conf states, in regards to crypto 'suites': > > "Perfect Forward Security (PFS) is enabled unless group none is specified." > > So is PFS required if a group is specified or is it optional for the remote > party? And is there a way to determine if PFS is being used by an existing > connection? > > I'm especially interested in OpenBSD <-> Cisco tunnels. > > -- > Jeff Simmons > jsimm...@goblin.punk.net > Simmons Consulting - Network Engineering, Administration, Security > "You guys, I don't hear any noise. Are you sure you're doing it right?" > -- My Life With The Thrill Kill Kult > > -- May the most significant bit of your life be positive.
