Hi James, > are you aware of any limit on the number of IKEv2 IKE and ESP proposals that > StrongSwan v5.4.0 can support?
Each proposal has a number assigned within the SA payload, which is stored in an 8-bit field. Starting with 1 this theoretically limits the number of proposals to 255. But the daemon actually does not enforce this, so if you configure more they just get the same number assigned as a previous proposal (the number is just truncated to 8-bit). However, such an SA payload would then fail verification on the responder (the daemon verifies that the proposals are numbered consecutively). The number of transforms (algorithms) per proposal is also stored in an 8-bit field, so that's limited too (but also not enforced, so this could fail miserably as e.g. adding 256 transforms would result in the number getting set to 0). > Testing with v5.0.3 we were able to use up to 10000 proposals. Seems strange. How exactly did you test this? Could you provide some test configs? Why would you have such a high number of proposals anyway? Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
