Uploaded image for project: 'vpp'
  1. vpp
  2. VPP-1683

IKEv2 should not include DH group in implicit initial child SA proposal

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: High High
    • None
    • None
    • IPsec
    • None

      From RFC7296
      Note that IKE_AUTH messages do not contain KEi/KEr or Ni/Nr payloads.
      Thus, the SA payloads in the IKE_AUTH exchange cannot contain
      Transform Type 4 (Diffie-Hellman group) with any value other than
      NONE. Implementations SHOULD omit the whole transform substructure
      instead of sending value NONE.
      The inclusion of the DH group in the initial proposal list causes IKE_AUTH to fail with libreswan.

            ftehlar Filip Tehlar
            chopps Christian Hopps
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 2 hours
                2h
                Remaining:
                Remaining Estimate - 2 hours
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified