Hi This may have been discussed before, but I haven’t found such discussion. Apologies in advance if this is a stupid question.
Suppose we have to VPN peers configured to set up a tunnel between them. Suppose further that the IKE SAs are significantly longer-lived than the IPsec SAs. PFS is configured on both sides, but there are no matching groups (perhaps GW-1 is configured with only group 19, while GW-2 is configured only with group 20). When the tunnel is first set up, it is negotiated in the IKE_AUTH exchange. Diffie-Hellman is not performed, so the mismatched configuration is not detected - traffic flows through the tunnel. After a while, one of the gateways attempts to rekey the tunnel, or else create a new tunnel with the same peer. This time the tunnel is set up using the CREATE_CHILD_SA exchange. The SA payload will contain the wrong DH group and the exchange will fail, resulting in traffic flow stopping. As far as I can tell, this behavior is consistent with the RFC, but the user experience is very strange. Traffic should either flow or not flow - it should not stop at rekeying. Am I missing something? Thanks Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
