On May 28, 2015, at 7:21 AM, Paul Wouters <[email protected]> wrote: > I had a long talk with Tero a few IETF's ago, and he was pretty > convincing that it makes no sense whatsoever to have different > phase 1/2 diffie hellman groups.
We actually talked about this during the design of IKEv2, but some people claimed we needed the separation because of different security needs for the two parts. In retrospect, we should have said "even if that's true, it will cause problems". Here is an example of where it causes problems. > Try to tell your webgui developers instead? :) That seems to be the easiest way around this protocol mis-design. --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
