On Thu, 9 Feb 2023, Tero Kivinen wrote:
which do not match. I suggest just removing the section 3 text, as
this is already explained in the section 2.2. Or perhaps moving the
text from section 2.2 to section 3, replacing that old section 3
paragraph with the text moved from section 2.2.
I did the latter.
In the section 3.1 it would be nice to use properly formatted
IP-addresses. Now it looks that you are negotiating some 24-bit
FC-addresses, as your ip-addresse only has 3-bytes in them:
TSi = ((17,24233,198.51.12-198.51.12),
(17,0,192.0.2.0-192.0.2.255),
(0,0,198.51.0-198.51.255),
TS_SECLABEL1, TS_SECLABEL2)
and
TSi = ((0,0,198.51.0-198.51.255),
TS_SECLABEL1)
Replace 198.5.12 with something like 198.5.0.12 and 192.51.0 with
192.51.0.0 and 192.51.255 with 192.51.0.255 or something... There is
It should be 198.51.100.0/24 which is TEST-NET-2. This error has been
there forever without getting spotted. Changed this to:
An initiator could send:
TSi = ((17,24233,198.51.100.12-198.51.100.12),
(0,0,198.51.100.0-198.51.100.255),
(0,0,192.0.2.0-192.0.2.255),
TS_SECLABEL1, TS_SECLABEL2)
TSr = ((17,53,203.0.113.1-203.0.113.1),
(0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1, TS_SECLABEL2)
The responder could answer with the following example:
TSi = ((0,0,198.51.100.0-198.51.100.255),
TS_SECLABEL1)
TSr = (((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1)
eg also fixed the initiator site-to-site not to use proto udp.
I'll submit this in a day or two to give people a change to review this
again :)
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
