ipseccmd syntax

[John Roul]

How would I not specify any encryption, accept the defaults, but still
turn the PFS on????

-n ESP[3DES,SHA]3600S/50000KPFS is the original which works but
specifies encryption,

I tried (-n PFS) (-n 3600S/50000KPFS) (PFS)

can't seem to get it work, below is a copy of the full command



ipseccmd '-w REG -p Town -r Guest-Host -t '142.163.242.244 -f
0+199.210.34.0/255.255.255.0 -t 142.163.242.245 -n
ESP[3DES,SHA]3600S/50000KPFS -a PRESHARED:"testing"';

 

[Steve Riley [MSFT]]

Perfect forward secrecy applies to the session encryption keys used for
phase 2 bulk encryption of data. If you're specifying null encryption,
there's nothing for PFS to do, so it won't enable.

Note that you can enable PFS for phase 1:

-1p enable PFS for phase 1
DEFAULT: not enabled

 

[John Roul]

If I remove the -n ESP[3DES,SHA]3600S/50000KPFS then the syntax
below will create a vpn connection to a befvp41 router from xp, but I
have to physically turn the PFS check box on before it works, without
specifying the -n ESP[3DES,SHA]3600S/50000KPFS in my string will allow
all 4 types as default, but it will only work if the pfs is turned on.

Perfect forward secrecy applies to the session encryption keys used for
phase 2 bulk encryption of data. If you're specifying null encryption,
there's nothing for PFS to do, so it won't enable.

Note that you can enable PFS for phase 1:

-1p enable PFS for phase 1
DEFAULT: not enabled

--
Steve
(e-mail address removed)

How would I not specify any encryption, accept the defaults, but still
turn the PFS on????

-n ESP[3DES,SHA]3600S/50000KPFS is the original which works but
specifies encryption,

I tried (-n PFS) (-n 3600S/50000KPFS) (PFS)

can't seem to get it work, below is a copy of the full command



ipseccmd '-w REG -p Town -r Guest-Host -t '142.163.242.244 -f
0+199.210.34.0/255.255.255.0 -t 142.163.242.245 -n
ESP[3DES,SHA]3600S/50000KPFS -a PRESHARED:"testing"';