Yoav Nir writes: > > IKEv2 tries to notice some misconfigurations, but it cannot catch them > > all. > > IKEv1 caught that particular one.
Oh, you can catch this in IKEv2 too immediately, if you are fine with wasting some resources. I.e. you can either create the IKE SA as Childless IKE SA (RFC6023), and then do CREATE_CHILD_SA immediately with PFS. This will allow to have separate Diffie-Hellman groups for IPsec and IKE SAs, and detect misconfigurations immediately. If the other end does not support Childless IKE SAs then you can simply rekey the first Child SA immediately after it has been created. I.e in both cases you do one extra round trip and second Diffie-Hellman calculation. This (2+1 roundtrips) is still more efficient than 3+1.5 roundrips for IKEv1... Diffie-Hellman calculation costs are same. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
