On 2013-09-12, Jeff Simmons <jsimm...@goblin.punk.net> wrote: > The man page for ipsec.conf states, in regards to crypto 'suites': > > "Perfect Forward Security (PFS) is enabled unless group none is specified." > > So is PFS required if a group is specified or is it optional for the remote > party? And is there a way to determine if PFS is being used by an existing > connection? > > I'm especially interested in OpenBSD <-> Cisco tunnels. >
I haven't checked the code for a definitive answer but I do know that phase 2 won't come up if you set a group on the OpenBSD side for "quick" e.g. "quick auth hmac-sha1 enc aes-256 group grp2" and the Cisco is configured not to do PFS..
