On Sun, Mar 03, 2024 at 09:14:57PM -0500, Paul Wouters wrote: > > I agreed to write up a draft to discuss the issue regarding rekeying > the initial Child SA and KE/PFS settings. > > Previous discussion/presentation at IETF118: > https://datatracker.ietf.org/meeting/118/materials/slides-118-ipsecme-ikev2-dhke-interop-issues-00 > > Initial proposed draft: > https://datatracker.ietf.org/doc/draft-pwouters-ipsecme-child-pfs-info/ > > Please let me know what I got wrong :) > > Paul
Thanks! This is definitely one of the major pain points for users when it breaks their setup after they thought they just got everything working. I'll see if I can add an OpenIKED implementation. If I remember correctly, one thing we currently do to reduce the pain is always accepting the IKE DH for the Child DH as responder, which catches at least some misconfigurations (at the cost of being a little more permissive in the worst case). > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
