[strongSwan] Regarding Installation issue in strongswan
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Mon Nov 19 18:26:40 CET 2012
Hi Martin,
Thanks for you reply.
I just want to clarify the doubts on PFS group proposal in IKEv2.
I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
exchange (IKE_AUTH messages). Because its mentioned like "
A CHILD_SA is created by sending a CREATE_CHILD_SA request"
But in RFC 5996 , its mentioned like
" The CREATE_CHILD_SA exchange is used to create new Child SAs and to
rekey both IKE SAs and Child SAs"
As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's
(after a tunnel is formed).
So its not possible to inter operate a software, which supports RFC4306
with Strongswan.
Please correct me , If I am wrong. I m not clear about this point in RFC.
I need experts guidance.
Regards,
Saravanan N
On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi <martin at strongswan.org>wrote:
> Hi,
>
> > 13[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
> > 13[IKE] no acceptable proposal found
> > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
>
> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
> but not in IKE_AUTH.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121119/499c603d/attachment.html>
More information about the Users
mailing list