Hi Eduardo, > esp=null-sha1-modp8192! > ike=aes128-sha-modp1024!
> For both scenarios the CHILD SA is created (with no PFS). Did you create the CHILD_SA in an additional CREATE_CHILD_SA exchange? If the CHILD_SA is set up along with the initial IKE_AUTH exchange, there is no way to do a separate DH exchange for the CHILD_SA in IKEv2. This hardly makes sense, as we just did a DH exchange during IKE_SA_INIT. The DH group in the esp= parameter is ignored for the initial setup. The DH group is only used for later CHILD_SA setups or rekeyings using a CREATE_CHILD_SA exchange. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
