[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about KE payload
It's not a valid case. If you are going to send KE in Quick Mode then the
same DH-group must be present in every transform in every proposal in every
SA. Even netscreen doesn't allow this configuration. You recheck this.
Cheers,
kiran kumar
----- Original Message -----
From: "climbor" <climbor@163.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Thursday, September 05, 2002 3:15 PM
Subject: Re: Question about KE payload
To: "kiran kumar" <kirankumar.chunduri@analog.com>; "Saket Dandawate"
<sdandawate@pace.stpp.soft.net>
> Hi,
> thanks Saket and kiran.
>
> Then what about a single SA payload with several proposal?
>
> HDR*, HASH(1), SA, Ni,
> [, KE ] [, IDci, IDcr ] -->
> <-- HDR*, HASH(2), SA, Nr,
> [, KE ] [, IDci,
IDcr ]
> HDR*, HASH(3) -->
>
> 1. ISAKMP header
> 2. Hash
> 3. -SA payload (SA 0)
> -Proposal Payload #1
> -Transform Payload
> -Attribute Payloads with Group 1
> -Proposal Payload #2
> -Transform Payload
> -Attribute Payloads with Group 2
> -Other Proposal Payload
> ......
> 4. KE payload
> 5. Identity Payload IDci
> 6. Identity Payload IDcr
>
> Is this case valid? If so how to construct the KE payload?
> This question came to me when I read the menu of NetScreen
> Firewall. It can be configed like this:
> set ike p2-proposal G1 group1 ...
> set ike p2-proposal G2 group2 ...
> and then,
> set vpn VPN gateway SOME_GW proposal G1 G2 ...
> then I just wonder how does the NetScreen deal with this case?
>
>