From 76abb27a3cce45980f3f8fe68d0e4ec4c9ffa0b1 Mon Sep 17 00:00:00 2001
From: Sheng Yang <sheng.yang@citrix.com>
Date: Mon, 23 Jul 2012 19:33:11 -0700
Subject: [PATCH] S2S VPN: Add back pfs=no for ipsec.conf

According to ipsec.conf manual:

pfs

whether Perfect Forward Secrecy of keys is desired on the connection's keying
channel (with PFS, penetration of the key-exchange protocol does not compromise
keys negotiated earlier); Since there is no reason to ever refuse PFS, Openswan
will allow a connection defined with pfs=no to use PFS anyway. Acceptable values
are yes (the default) and no.

Found removing the option would make it impossible to work with no PFS setting
router. It may related to CS-15511.
---
 patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
index 68deecd09d7..15eb4c2f7ad 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -137,6 +137,7 @@ ipsec_tunnel_add() {
     sudo echo "  type=tunnel" >> $vpnconffile &&
     sudo echo "  authby=secret" >> $vpnconffile &&
     sudo echo "  keyexchange=ike" >> $vpnconffile &&
+    sudo echo "  pfs=no" >> $vpnconffile &&
     sudo echo "  esp=$esppolicy" >> $vpnconffile &&
     sudo echo "  salifetime=${time}s" >> $vpnconffile &&
     sudo echo "  ike=$ikepolicy" >> $vpnconffile &&