Yes, with IKEv1 a fresh DH exchange is done in the Quick Mode which derives the ESP keying material.
With IKEv2, the ESP DH parameter will only by used with the CREATE_CHILD_SA message exchange during rekeying or if multiple CHILD SAs are installed but not in the initial IKE_AUTH exchange where the ESP keys for the first CHILD SA are derived from the IKE DH secret. Regards Andreas On 21.10.2016 14:52, Noel Kuntze wrote:
On 21.10.2016 13:58, Trump DD wrote:02[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQThat's normal. With a certain IKE version (don't remember which), the DH-Group only is important when rekeying, because the initial setup of a CHILD_SA doesn't include a DH exchange, it is only done when rekeying the CHILD_SA.
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
