[strongSwan] PATCH: Payload order for aggressive mode
martin at strongswan.org
Tue Sep 10 11:00:15 CEST 2013
> I discovered that the watchguard expects the HASH_V1 before the NAT
> payload in the third message.
Thanks for your patch, I finally had a chance to take a closer look at
> Doing a quick search I didn’t found any order requirements in the RFC’s
> (did I miss something?).
While there is no specific text about the payload order, general
consensus is that the message/payload diagrams in the RFC define the
payload order. For aggressive mode (RFC 3947, section 4), this is:
> UDP(4500,4500) HDR*#, [CERT, ],
> NAT-D, NAT-D,
> SIG_I -->
While a signature payload is used here, I take this as a clear
indication to insert the NAT payloads before the SIG/HASH payload.
I'm skeptical about changing the payload order to something "less
correct", as it is likely to break interoperability with other
More information about the Users