[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about KE payload

To: "climbor" <climbor@163.com>, <ipsec@lists.tislabs.com>
Subject: Re: Question about KE payload
From: "kiran kumar" <kirankumar.chunduri@analog.com>
Date: Wed, 4 Sep 2002 14:48:36 +0530
References: <00ad01c253ba$b6fe0b40$17301bd2@xajump.edu.cn>
Sender: owner-ipsec@lists.tislabs.com

It's not possible to have seperate DH-group for each SA negotiated in first
Quick message. The same KE payload must apply to all SA's being negotiated.
"refer section 5.5.-rfc 2409".
''All offers made during a Quick Mode are logically related and must be
consistant. For example, if a KE payload is sent, the attribute describing
the Diffie-Hellman group MUST be included in every transform of every
proposal of every SA being negotiated. Similarly, if client identities are
used, they MUST  apply to every SA in the negotiation". It's an in-valid
case.

thanks,
kiran kumar

----- Original Message -----
From: "climbor" <climbor@163.com>
To: <ipsec@lists.tislabs.com>
Sent: Wednesday, September 04, 2002 7:58 AM
Subject: Question about KE payload


> Hi all,
>
> Here is my question:
> How to construct the KE payload if there are multiple SA in the first
Quick message and each SA have different PFS group (say group 1 and group
2)? Construct multiple KE payload too? Or just select the longer one? Or
this is just a invalid case (Netscreen support multiple SA with different
PFS group, I guest so from its manual)?
>
> thanks
>

References:
- Question about KE payload
  - From: "climbor" <climbor@163.com>

Prev by Date: Re: IPSec v6 on linux
Next by Date: Re: Question about KE payload
Prev by thread: Question about KE payload
Next by thread: Re: Question about KE payload
Index(es):
- Date
- Thread