[strongSwan] Regarding Installation issue in strongswan

SaRaVanAn saravanan.nagarajan87 at gmail.com
Mon Nov 19 18:26:40 CET 2012

Hi Martin,
Thanks for you reply.
I just want to clarify the doubts on PFS group proposal in IKEv2.

I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
exchange (IKE_AUTH messages). Because its mentioned like "
 A CHILD_SA is created by sending a CREATE_CHILD_SA request"

But in RFC 5996 , its mentioned like
"  The CREATE_CHILD_SA exchange is used to create new Child SAs and to
   rekey both IKE SAs and Child SAs"

As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's
(after a tunnel is formed).
So its not possible to inter operate a software,  which supports RFC4306
with Strongswan.

Please correct me , If I am wrong. I m not clear about this point in RFC.
I need experts guidance.

Saravanan N

On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi <martin at strongswan.org>wrote:

> Hi,
> > 13[CFG] received proposals:
> > 13[IKE] no acceptable proposal found
> > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
> but not in IKE_AUTH.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121119/499c603d/attachment.html>

More information about the Users mailing list