[strongSwan] ESN support for IKEv1
Martin Willi
martin at strongswan.org
Fri Mar 20 17:15:20 CET 2015
Hi,
> The wiki mentions this ESN support is only for IKEv2. Is it so?
Yes.
> As per my understanding this ESN feature refers to sequence
> numbers in ESP. So why is this support dependent on version of IKE?
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
> To support high-speed IPsec implementations, Extended Sequence
> Numbers (ESNs) SHOULD be implemented, as an extension to the current,
> 32-bit sequence number field. Use of an ESN MUST be negotiated by an
> SA management protocol. Note that in IKEv2, this negotiation is
> implicit; the default is ESN unless 32-bit sequence numbers are
> explicitly negotiated.
ESN negotiation for IKEv1 is defined in RFC 4304, but we currently do
not support this extension in strongSwan.
Regards
Martin
More information about the Users
mailing list