Hi Martin, Thanks for you reply. I just want to clarify the doubts on PFS group proposal in IKEv2.
I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA exchange (IKE_AUTH messages). Because its mentioned like " A CHILD_SA is created by sending a CREATE_CHILD_SA request" But in RFC 5996 , its mentioned like " The CREATE_CHILD_SA exchange is used to create new Child SAs and to rekey both IKE SAs and Child SAs" As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's (after a tunnel is formed). So its not possible to inter operate a software, which supports RFC4306 with Strongswan. Please correct me , If I am wrong. I m not clear about this point in RFC. I need experts guidance. Regards, Saravanan N On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi <[email protected]>wrote: > Hi, > > > 13[CFG] received proposals: > ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ > > 13[IKE] no acceptable proposal found > > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ] > > Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This > seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal > would match in a CREATE_CHILD_SA (as you can do a DH exchange there), > but not in IKE_AUTH. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
