[strongSwan] When is DH re-negotiated ?
graham.hudspith at gmail.com
Thu Mar 24 12:19:13 CET 2011
Hopefully this is a quick answer for someone ?
When we set up a tunnel, we have to specify a DH group along with the
acceptable encryption and authentication algorithms for the IKE_SA
Is DH re-negotiated everytime we rekey the IKE_SA ?
Also, when we set up a tunnel, we have the option of specifying (or not) the
DH group for when CHILD_SAs are rekeyed. Here, for our initiators, we give
this choice to the SeGW by specifying that we accept either
My understanding is that by specifying the above, we are leaving it up to
the SeGW to choose whether to always re-negotiate the DH when the CHILD_SA
is rekeyed (by sending back to us "aes-sha1-modp1024") or to
never re-negotiate the DH when the CHILD_SA is rekeyed (by sending back to
So, if the former, does this mean that a new DH is re-negotiated everytime
we rekey the CHILD_SA AND a new DH is re-negotiated everytime we rekey the
If the latter, does this mean that a new DH is re-negotiated ONLY when we
rekey the IKE_SA ?
Finally, if the latter, can the SeGW vary when the DH is re-negotiated (i.e.
re-negotiate the DH every THIRD time the CHILD_SA is rekeyed) ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users