Sometimes it can be necessary to slightly alter the kind of keys, algorithms, ciphers, or lifetimes used for various components of the cryptographic systems used. These are all tunable per connection through configuration options.
You can find their descriptions in the ipsec.conf
man page, but we will provide a few examples here. For all these options, the default setting is the setting used when not specified in the connection at all.
Perfect Forward Secrecy is not supported by all IPsec implementations. Normally this should be enabled (pfs=yes
), which is the default, as this protects previous key exchanges even if the current one is compromised. You almost never need to set this to no
. One such exception is the MS-L2TP client.
If you are unsure whether the other end wants to use PFS, you can safely set pfs=no
. If Openswan receives a request with PFS, it will allow it despite its own setting to disable PFS, because there is absolutely no reason not to use...