Re: Add Diffie-Hellman group negotiation to iked

2017-12-11 Thread Tim Stewart
Patrick Wildt writes: > On Mon, Nov 27, 2017 at 06:12:22PM +0100, Patrick Wildt wrote: >> On Mon, Nov 27, 2017 at 04:21:08PM +0100, Patrick Wildt wrote: >> > On Wed, Nov 22, 2017 at 05:26:24PM +0100, Patrick Wildt wrote: >> > > On 2017/06/25 21:44, Tim Stewart wrote: >> > > >

Re: Add Diffie-Hellman group negotiation to iked

2017-12-11 Thread Tim Stewart
Apologies for disappearing for a while. I was moving across town and I had to drop many things! Stuart Henderson writes: > On 2017/06/25 21:44, Tim Stewart wrote: >> Hi, >> >> In this message I've tried to encode everything I've done to allow >> strongSwan on Android to

Re: Add Diffie-Hellman group negotiation to iked

2017-11-28 Thread Patrick Wildt
On Mon, Nov 27, 2017 at 06:12:22PM +0100, Patrick Wildt wrote: > On Mon, Nov 27, 2017 at 04:21:08PM +0100, Patrick Wildt wrote: > > On Wed, Nov 22, 2017 at 05:26:24PM +0100, Patrick Wildt wrote: > > > On 2017/06/25 21:44, Tim Stewart wrote: > > > > My first patch did, in fact, break Child SAs

Re: Add Diffie-Hellman group negotiation to iked

2017-11-27 Thread Patrick Wildt
On Wed, Nov 22, 2017 at 05:26:24PM +0100, Patrick Wildt wrote: > On 2017/06/25 21:44, Tim Stewart wrote: > > My first patch did, in fact, break Child SAs rekeying. I have a new > > patch at the end of this message that simply restricts DH group > > negotiation to IKE SAs (I *think* that DH group

Re: Add Diffie-Hellman group negotiation to iked

2017-11-22 Thread Patrick Wildt
On 2017/06/25 21:44, Tim Stewart wrote: > My first patch did, in fact, break Child SAs rekeying. I have a new > patch at the end of this message that simply restricts DH group > negotiation to IKE SAs (I *think* that DH group guessing only applies to > IKE SAs, and perhaps only the IKE_SA_INIT

Re: Add Diffie-Hellman group negotiation to iked

2017-11-09 Thread Stuart Henderson
On 2017/06/25 21:44, Tim Stewart wrote: > Hi, > > In this message I've tried to encode everything I've done to allow > strongSwan on Android to connect with iked, including the latest patch. > I have also verified that it breaks neither initial negotiation nor > Child SA rekeying for OpenBSD,

Re: Add Diffie-Hellman group negotiation to iked

2017-07-25 Thread Tim Stewart
viq writes: > On 17-07-18 23:20:26, Tim Stewart wrote: >> viq writes: >> >> > On 17-06-25 21:44:24, Tim Stewart wrote: >> >> Hi, >> >> >> >> In this message I've tried to encode everything I've done to allow >> >> strongSwan on Android to connect with iked,

Re: Add Diffie-Hellman group negotiation to iked

2017-07-23 Thread viq
On 17-07-18 23:20:26, Tim Stewart wrote: > viq writes: > > > On 17-06-25 21:44:24, Tim Stewart wrote: > >> Hi, > >> > >> In this message I've tried to encode everything I've done to allow > >> strongSwan on Android to connect with iked, including the latest patch. > >> I have

Re: Add Diffie-Hellman group negotiation to iked

2017-07-18 Thread Tim Stewart
viq writes: > On 17-06-25 21:44:24, Tim Stewart wrote: >> Hi, >> >> In this message I've tried to encode everything I've done to allow >> strongSwan on Android to connect with iked, including the latest patch. >> I have also verified that it breaks neither initial negotiation

Re: Add Diffie-Hellman group negotiation to iked

2017-07-14 Thread viq
And now with log. ikev2_recv: IKE_SA_INIT request from initiator 37.47.4.5:9911 to 31.178.147.125:500 policy 'roadwarrior' id 0, 652 bytes ikev2_recv: ispi 0x5e13d636599e1781 rspi 0x ikev2_policy2id: srcid FQDN/keibi.viq.im length 16 ikev2_pld_parse: header ispi

Re: Add Diffie-Hellman group negotiation to iked

2017-07-13 Thread viq
On 17-06-25 21:44:24, Tim Stewart wrote: > Hi, > > In this message I've tried to encode everything I've done to allow > strongSwan on Android to connect with iked, including the latest patch. > I have also verified that it breaks neither initial negotiation nor > Child SA rekeying for OpenBSD,

Re: Add Diffie-Hellman group negotiation to iked

2017-06-25 Thread Tim Stewart
Hi, In this message I've tried to encode everything I've done to allow strongSwan on Android to connect with iked, including the latest patch. I have also verified that it breaks neither initial negotiation nor Child SA rekeying for OpenBSD, Windows, and strongSwan (on Android) clients. Stuart

Re: Add Diffie-Hellman group negotiation to iked

2017-06-24 Thread Stuart Henderson
On 2017/05/22 01:52, Tim Stewart wrote: > Hello again, > > Tim Stewart writes: > > > Tim Stewart writes: > > > >> This patch teaches iked to reject a KE with a Notify payload of type > >> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group > >>

Re: Add Diffie-Hellman group negotiation to iked

2017-05-21 Thread Tim Stewart
Hello again, Tim Stewart writes: > Tim Stewart writes: > >> This patch teaches iked to reject a KE with a Notify payload of type >> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group >> than is configured locally. The rejection indicates the

Re: Add Diffie-Hellman group negotiation to iked

2017-05-21 Thread Tim Stewart
Tim Stewart writes: > This patch teaches iked to reject a KE with a Notify payload of type > INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group > than is configured locally. The rejection indicates the desired > group. > > In my environment, this patch allows

Add Diffie-Hellman group negotiation to iked

2017-05-16 Thread Tim Stewart
This patch teaches iked to reject a KE with a Notify payload of type INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group than is configured locally. The rejection indicates the desired group. In my environment, this patch allows stock strongSwan on Android from the Google Play