[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about KE payload
Hi,
thanks Saket and kiran.
Then what about a single SA payload with several proposal?
HDR*, HASH(1), SA, Ni,
[, KE ] [, IDci, IDcr ] -->
<-- HDR*, HASH(2), SA, Nr,
[, KE ] [, IDci, IDcr ]
HDR*, HASH(3) -->
1. ISAKMP header
2. Hash
3. -SA payload (SA 0)
-Proposal Payload #1
-Transform Payload
-Attribute Payloads with Group 1
-Proposal Payload #2
-Transform Payload
-Attribute Payloads with Group 2
-Other Proposal Payload
......
4. KE payload
5. Identity Payload IDci
6. Identity Payload IDcr
Is this case valid? If so how to construct the KE payload?
This question came to me when I read the menu of NetScreen
Firewall. It can be configed like this:
set ike p2-proposal G1 group1 ...
set ike p2-proposal G2 group2 ...
and then,
set vpn VPN gateway SOME_GW proposal G1 G2 ...
then I just wonder how does the NetScreen deal with this case?