Hi
This may have been discussed before, but I haven’t found such discussion.
Apologies in advance if this is a stupid question.
Suppose we have to VPN peers configured to set up a tunnel between them.
Suppose further that the IKE SAs are significantly longer-lived than the IPsec
SAs.
PFS is
Hi, Vijay.
Thanks for the response.
On May 28, 2015, at 12:38 PM, vijay kn vijay...@huawei.com wrote:
The only problem I see is if the Gw-1 rekeyed with group19 but GW2 does not
support Group19 then it can result in traffic loss. For this, the
administrators of the two devices must
Yoav Nir writes:
When the tunnel is first set up, it is negotiated in the IKE_AUTH
exchange. Diffie-Hellman is not performed, so the mismatched
configuration is not detected - traffic flows through the tunnel.
If your setup is set to that you configure only one Diffie-Hellman for
the IKEv2,
Hi,
Implementations can follow this RFC extract to avoid traffic loss.
Since the initiator sends its Diffie-Hellman value in the
IKE_SA_INIT, it must guess the Diffie-Hellman group that the
responder will select from its list of supported groups. If the
initiator guesses wrong, the
On May 28, 2015, at 1:40 PM, Tero Kivinen kivi...@iki.fi wrote:
Yoav Nir writes:
When the tunnel is first set up, it is negotiated in the IKE_AUTH
exchange. Diffie-Hellman is not performed, so the mismatched
configuration is not detected - traffic flows through the tunnel.
If your setup
If your setup is set to that you configure only one Diffie-Hellman for
the IKEv2, which is then used for both IKE SA and Child SAs, then you
would notice this misconfiguration immediately.
My product has a separate configuration for phase 1 Diffie-Hellman group
and phase 2 Diffie-Hellman
On May 28, 2015, at 7:21 AM, Paul Wouters p...@nohats.ca wrote:
I had a long talk with Tero a few IETF's ago, and he was pretty
convincing that it makes no sense whatsoever to have different
phase 1/2 diffie hellman groups.
We actually talked about this during the design of IKEv2, but some