[strongSwan] PATCH: Payload order for aggressive mode

Gerald Richter - ECOS richter at ecos.de
Thu Sep 12 06:40:33 CEST 2013

Hi Martin,

> While there is no specific text about the payload order, general consensus is
> that the message/payload diagrams in the RFC define the payload order. For
> aggressive mode (RFC 3947, section 4), this is:
> >    UDP(4500,4500) HDR*#, [CERT, ],
> >        NAT-D, NAT-D,
> >        SIG_I -->
> While a signature payload is used here, I take this as a clear indication to
> insert the NAT payloads before the SIG/HASH payload.
> I'm skeptical about changing the payload order to something "less correct",
> as it is likely to break interoperability with other implementations.

Also I can understand your doubts changing the order, I see a huge benefit if the interoperability of strongswan to other venders can be enhanced.

So maybe, we can make this an option in strongswan.conf?



More information about the Users mailing list