[strongSwan] Strongswan is proposing only PFS enabled proposals as part of quick mode
Tobias Brunner
tobias at strongswan.org
Fri Oct 7 10:01:05 CEST 2016
Hi Sridhar,
> We have configured two proposals one with PFS enabled and another with
> PFS disabled. With this configuration, strongswan is sharing only one
> PFS enabled proposal to peer in quick mode.
> ...
> With the above configuration, strongswan is sending only one proposal
> "*/aes128-md5-modp1024/*" part of quick mode, instead of sending both.
> Is there any way we can send both proposals to the peer in the quick
> mode. Any pointers would be helpful.
Such mixed proposals are not possible with IKEv1. As RFC 2409, section
5.5 puts it:
All offers made during a Quick Mode are logically related and must be
consistant. For example, if a KE payload is sent, the attribute
describing the Diffie-Hellman group (see section 6.1 and [Pip97])
MUST be included in every transform of every proposal of every SA
being negotiated.
Regards,
Tobias
P.S. Please do not cross-post to multiple mailing lists.
More information about the Users
mailing list