On Thu, 9 Feb 2023, Tero Kivinen wrote:
which do not match. I suggest just removing the section 3 text, as this is already explained in the section 2.2. Or perhaps moving the text from section 2.2 to section 3, replacing that old section 3 paragraph with the text moved from section 2.2.
I did the latter.
In the section 3.1 it would be nice to use properly formatted IP-addresses. Now it looks that you are negotiating some 24-bit FC-addresses, as your ip-addresse only has 3-bytes in them: TSi = ((17,24233,198.51.12-198.51.12), (17,0,192.0.2.0-192.0.2.255), (0,0,198.51.0-198.51.255), TS_SECLABEL1, TS_SECLABEL2) and TSi = ((0,0,198.51.0-198.51.255), TS_SECLABEL1) Replace 198.5.12 with something like 198.5.0.12 and 192.51.0 with 192.51.0.0 and 192.51.255 with 192.51.0.255 or something... There is
It should be 198.51.100.0/24 which is TEST-NET-2. This error has been there forever without getting spotted. Changed this to: An initiator could send: TSi = ((17,24233,198.51.100.12-198.51.100.12), (0,0,198.51.100.0-198.51.100.255), (0,0,192.0.2.0-192.0.2.255), TS_SECLABEL1, TS_SECLABEL2) TSr = ((17,53,203.0.113.1-203.0.113.1), (0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1, TS_SECLABEL2) The responder could answer with the following example: TSi = ((0,0,198.51.100.0-198.51.100.255), TS_SECLABEL1) TSr = (((0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1) eg also fixed the initiator site-to-site not to use proto udp. I'll submit this in a day or two to give people a change to review this again :) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec