"Disable PFS" problem

[romulogcerqueira]

On IPsec settings, I check the "Disable PFS" tick box, however, this configuration is not stored. How can I overcome this issue?

I am using Ubuntu 20.04.

[dkosovic]

The "Disable PFS" option is greyed if detects strongswan. PFS for strongSwan 5.x onwards is enabled by appending a DH group to the ESP (i.e. phase 2 algorithms) settings, see:

• https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations

So I assume you are using libreswan.

If you run /usr/bin/nm-connection-editor, tick the "Disable PFS" check box, save the connection, then re-open the connection, is the "Disable PFS" check box still enabled?

If you are using KDE plasma-nm that comes with Kubuntu 20.04, it will erase the "Disable PFS" setting, you would need to use a newer version of plasma-nm that has the "Disable PFS" check box, e.g.:

[dkosovic]

If you are using KDE plasma-nm on Kubuntu 20.04, the following thread describes a workaround to stop "Disable PFS" option being removed by changing permissions of the config file:

• https://forum.kde.org/viewtopic.php?f=18&t=163029

I'm closing this issue due to lack of response activity. I will reopen if there are responses.