In addition to using isakmpd debug 'isakmpd -D A=99 -d'
You also need to configure the policies in ipsec.conf to use 'dynamic'
and not any of the other manual modes (man ipsec.conf) "The dynamic mode
will additionally enable Dead Peer Detection (DPD) and use
the
local hostname as the identity of the local peer, if not
specified
by the srcid parameter."
Dynamic is required to negotiate PFS with the other side I believe.
Cheers, Andy
On Thu 12 Sep 2013 08:07:55 BST, Janne Johansson wrote:
You are going to see (if you debug the negotiations done by isakmpd) if
both sides say they can use FPS, IIRC.
2013/9/12 Jeff Simmons <jsimm...@goblin.punk.net>
The man page for ipsec.conf states, in regards to crypto 'suites':
"Perfect Forward Security (PFS) is enabled unless group none is specified."
So is PFS required if a group is specified or is it optional for the remote
party? And is there a way to determine if PFS is being used by an existing
connection?
I'm especially interested in OpenBSD <-> Cisco tunnels.
--
Jeff Simmons
jsimm...@goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
