[strongSwan-dev] [StrongSwan]: Tunnels establishment in case of IKE version mismatch

Andreas Steffen andreas.steffen at strongswan.org
Fri Nov 23 08:27:38 CET 2012


Hi Jegathesh,

as a principle, an IKEv1 peer cannot talk to an IKEv2 peer at all
and vice versa but a responder could support both IKEv1 and
IKEv2 at the same time. Starting with strongSwan 5.0 this is the
case with the default setting

   keyexchange=ike

as shown in the following example scenario:

http://www.strongswan.org/uml/testresults5dr/ike/rw-cert/

whereas a responder with

   keyexchange=ikev1

will react to IKEv1 initiators only and with

   keyexchange=ikev2

to IKEv2 initiators only.

Regards

Andreas

On 11/23/2012 08:11 AM, jegathesh malaiyappan wrote:
> Hi All,
>
> I have observed the tunnels are getting established incase of IKE
> version mismatch.
>
> Option 1:
> =========
> Initiator : IKEv1
> Responder: IKEv2
>
> *Result:* Tunnels are not establised
>
> Option 2:
> =========
> Initiator : IKEv2
> Responder: IKEv1
>
> *Result:* Tunnels are establised
> Why it's happening? Is this correct behavior or not?
>
> Thanks.
>
> - Jegathesh,
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Dev mailing list