Yoav Nir writes: > When the tunnel is first set up, it is negotiated in the IKE_AUTH > exchange. Diffie-Hellman is not performed, so the mismatched > configuration is not detected - traffic flows through the tunnel.
If your setup is set to that you configure only one Diffie-Hellman for the IKEv2, which is then used for both IKE SA and Child SAs, then you would notice this misconfiguration immediately. > After a while, one of the gateways attempts to rekey the tunnel, or > else create a new tunnel with the same peer. This time the tunnel is > set up using the CREATE_CHILD_SA exchange. The SA payload will > contain the wrong DH group and the exchange will fail, resulting in > traffic flow stopping. When the last Child SA gets deleted from the IKE SA, you should most likely shut down the IKE SA, or at least if all the rekeys fails, you should start from the beginning. > As far as I can tell, this behavior is consistent with the RFC, but > the user experience is very strange. Traffic should either flow or > not flow - it should not stop at rekeying. IKEv2 tries to notice some misconfigurations, but it cannot catch them all. > Am I missing something? Do not misconfigure your systems... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
