Clarifying question: How exactly would it work to disable weak KEs for peers that support strong KE? The peer doesn't identify itself until the IKE_AUTH exchange, at which point the sequence of KEs has already been negotiated and executed. Is it possible to abort due to insufficient KE parameters at this point? [HJ] as described in my previous email, in typical deployments, both peers either belong to or controlled by same organization, so at least one peer will be able to know remote peer’s capabilities without relying on IKE negotiation, and could have corresponding configuration to disable weak KEs toward that peer; another approach is like you mentioned, there is IPsec implementation could abort negotiation base on local policy config once learned peer’s IKEv2 ID
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
