Hi Martin, <br>Thanks for you reply.<br>I just want to clarify the doubts on PFS group proposal in IKEv2.<br><br>I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA exchange (IKE_AUTH messages). Because its mentioned like "<br>
A CHILD_SA is created by sending a CREATE_CHILD_SA request"<br><br>But in RFC 5996 , its mentioned like <br>" The CREATE_CHILD_SA exchange is used to create new Child SAs and to<br> rekey both IKE SAs and Child SAs"<br>
<br>As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's (after a tunnel is formed).<br>So its not possible to inter operate a software, which supports RFC4306 with Strongswan.<br><br>Please correct me , If I am wrong. I m not clear about this point in RFC.<br>
I need experts guidance.<br><br>Regards,<br>Saravanan N <br><pre class="newpage"><br></pre><br><div class="gmail_quote">On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class="im"><br>
> 13[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ<br>
</div><div class="im">> 13[IKE] no acceptable proposal found<br>
</div><div class="im">> 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]<br>
<br>
</div>Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This<br>
seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal<br>
would match in a CREATE_CHILD_SA (as you can do a DH exchange there),<br>
but not in IKE_AUTH.<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><br>