On Fri, 8 Jun 2012, Yoav Nir wrote:
But all this is implementation-specific details. I'm more interested in hearing whether others are seeing this (I would guess yes, otherwise Cisco would not have developed the IKE fragments), and on whether there is interest in the group in an IKE-over-TCP draft.
Yes we have seen this in the past with openswan, though people affected would usually use 2048 bit RSA keys instead of 1024 bit RSA keys. And usually in combination with a CAcert without intermediary CAs. We would advise them to use 1024 and the IKE fragemntation problem would go away. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
