If your setup is set to that you configure only one Diffie-Hellman for
the IKEv2, which is then used for both IKE SA and Child SAs, then you
would notice this misconfiguration immediately.
My product has a separate configuration for phase 1 Diffie-Hellman group
and phase 2 Diffie-Hellman group.
Thinking it over, I cannot explain why this is needed, but at least
StrongSwan also specifies ESP groups separately from IKE groups.
This had sense in IKEv1. In IKEv2 separating configuration of DH groups
for IKE and IPsec has much less sense. Note that besides the problem of
misconfiguration, that you've encountered, there is another subtle issue.
If the groups for IKE and IPsec are different, then even if no
misconfiguration
takes place and all IPsec rekeys run smoothly, we have the situation
that the very first IPsec SA has different level of protection than the
others
IPsec SAs, because unlike the others the first IPsec SA is created using
IKE DH group, not IPsec DH group.
And here are the reasons why there is little sense to use different DH
groups
for IKE and IPsec in IKEv2. The very first IPsec SA, created in IKE_AUTH
exchange
will have the keys derived from the shared secret calculated using DH group
for IKE.
When doing a rekey it is unlikely that you want to degrade security of new
SA,
so you shodn't use weaker DH group for the IPsec SA than for the IKE SA.
On the other hand, there is no point to use stronger DH group,
since some (probably substantial) part of data has already beed transferred
over the IPsec SA that is being rekeyed, so why should we protect
the resulting part (that will pass over new IPsec SA) differently?
That's a trade-off for piggy-backing of creating the first IPsec SA,
that was selected when IKEv2 was designed.
Yoav
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
