Hi All,
We are facing one IKEv1 interop issue. The issue is that Responder (checkpoint
SeGW) not retaining the
transform numbers received from the initiator (huawei base station), SeGW
replies with its own transform number.
IKEv1 First & second packets:
Initiator Responder
------------- -------------
VID, SA ------------------------------> (1)
<----------------------------- VID, SA (2)
In our scenario, Huawei base station(Initiator) sending transform number as 0
and Checkpoint security gateway(Responder)
is replying with 1, And Initiator trying to match transform number received
from the responder with one of the numbers sent
initially and negotiation failing due to mismatch.
We did Interop test with Cisco and Juniper, Cisco and Juniper is retaining the
transform numbers sent by the Huawei base station,
and negotiation successful.
Huawei base station compares received transform number with one of the
transform numbers sent initially along with other attributes,
this is inline with the RFC 2408 section 4.2 statement (The initiator MUST
verify that the Security Association payload received from
the responder matches one of the proposals sent initially).
One more point rfc says “The responder SHOULD retain the Proposal # field in
the Proposal payload and the
Transform # field in each Transform payload of the selected Proposal".
As I understand This transform number helps to direct to the correct SA
attributes in initiator side.
why some vendors not retaining the transform number sent by initiator? if not
followed, Do we see usefulness of the transform
number received at initiator side? Can we drop the exchange if correct
transform number not received?
Regards,
Dharma.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
