[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Using config mode together with extended authentication
In the scenario you mention the CP is sent before SAi2 and SAr2. So the
initiator sends CP(CFG_REQUEST) in the first IKE_AUTH exchange and the
responder sends CP(CFG_REPLY) in the last IKE_AUTH exchange. Using the EAP
example from the IKEv2-05 draft and inserting CP it would look like this...
Initiator Responder
----------- -----------
HDR, SAi1, KEi, Ni -->
<-- HDR, SAr1, KEr, Nr, [CERTREQ]
HDR, SK {IDi, [CERTREQ,] [IDr,]
[CP], SAi2, TSi, TSr} -->
<-- HDR, SK {IDr, [CERT,] AUTH,
EAP }
HDR, SK {EAP, [AUTH] } -->
<-- HDR, SK {EAP, [AUTH],
[CP], SAr2, TSi, TSr }
Charlie, could you add the CP payloads to the example for EAP so this is
clearer?
Darren
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Geoffrey Huang
> Sent: Thursday, March 13, 2003 3:08 PM
> To: ipsec@lists.tislabs.com
> Subject: Using config mode together with extended authentication
>
>
> I've looked over the sections regarding EAP/XAuth and Config mode in
> IKEv2-05, and there are packet descriptions in each section describing
> what IKE looks like if either one is used. But what happens if you do
> the cfg request and EAP? Based on the EAP description, the responder
> sends an EAP request in the 4th message, starting off an EAP exchange.
>
> But the Cfg Request description says that the initiator sends a CP
> payload before the SAi2 payload. Does this mean that if we do both CP
> and EAP it looks like:
>
> INIT RESPO
> msg1 ---->
> <---- msg2
> msg3+CP ---->
> <---- msg4+EAP
> EAP ---->
> <---- CP reply, etc.
>
> Maybe it's described in the document, and I just missed it.
>
> -g
>