[strongSwan] When is DH re-negotiated ?
Graham Hudspith
graham.hudspith at gmail.com
Thu Mar 24 12:19:13 CET 2011
All,
Hopefully this is a quick answer for someone ?
When we set up a tunnel, we have to specify a DH group along with the
acceptable encryption and authentication algorithms for the IKE_SA
(e.g. "aes-sha-modp1024!").
Is DH re-negotiated everytime we rekey the IKE_SA ?
Also, when we set up a tunnel, we have the option of specifying (or not) the
DH group for when CHILD_SAs are rekeyed. Here, for our initiators, we give
this choice to the SeGW by specifying that we accept either
(e.g. "aes-sha1-modp1024,aes-sha1!").
My understanding is that by specifying the above, we are leaving it up to
the SeGW to choose whether to always re-negotiate the DH when the CHILD_SA
is rekeyed (by sending back to us "aes-sha1-modp1024") or to
never re-negotiate the DH when the CHILD_SA is rekeyed (by sending back to
us "aes-sha1").
So, if the former, does this mean that a new DH is re-negotiated everytime
we rekey the CHILD_SA AND a new DH is re-negotiated everytime we rekey the
IKE_SA ?
If the latter, does this mean that a new DH is re-negotiated ONLY when we
rekey the IKE_SA ?
Finally, if the latter, can the SeGW vary when the DH is re-negotiated (i.e.
re-negotiate the DH every THIRD time the CHILD_SA is rekeyed) ?
Regards,
Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110324/fcc32139/attachment.html>
More information about the Users
mailing list