[strongSwan] Regarding Installation issue in strongswan
saravanan.nagarajan87 at gmail.com
Mon Nov 19 18:26:40 CET 2012
Thanks for you reply.
I just want to clarify the doubts on PFS group proposal in IKEv2.
I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
exchange (IKE_AUTH messages). Because its mentioned like "
A CHILD_SA is created by sending a CREATE_CHILD_SA request"
But in RFC 5996 , its mentioned like
" The CREATE_CHILD_SA exchange is used to create new Child SAs and to
rekey both IKE SAs and Child SAs"
As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's
(after a tunnel is formed).
So its not possible to inter operate a software, which supports RFC4306
Please correct me , If I am wrong. I m not clear about this point in RFC.
I need experts guidance.
On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi <martin at strongswan.org>wrote:
> > 13[CFG] received proposals:
> > 13[IKE] no acceptable proposal found
> > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
> but not in IKE_AUTH.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users