[strongSwan-dev] IKEv2 Proposal Limites StrongSwan v5.4.0
Tobias Brunner
tobias at strongswan.org
Fri Jul 15 12:02:26 CEST 2016
Hi James,
> are you aware of any limit on the number of IKEv2 IKE and ESP proposals that
> StrongSwan v5.4.0 can support?
Each proposal has a number assigned within the SA payload, which is
stored in an 8-bit field. Starting with 1 this theoretically limits the
number of proposals to 255. But the daemon actually does not enforce
this, so if you configure more they just get the same number assigned as
a previous proposal (the number is just truncated to 8-bit). However,
such an SA payload would then fail verification on the responder (the
daemon verifies that the proposals are numbered consecutively). The
number of transforms (algorithms) per proposal is also stored in an
8-bit field, so that's limited too (but also not enforced, so this could
fail miserably as e.g. adding 256 transforms would result in the number
getting set to 0).
> Testing with v5.0.3 we were able to use up to 10000 proposals.
Seems strange. How exactly did you test this? Could you provide some
test configs? Why would you have such a high number of proposals anyway?
Regards,
Tobias
More information about the Dev
mailing list