[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Using config mode together with extended authentication
OK - that's what I thought, that CP brackets the EAP exchange. I just
wanted to be sure. It'd be good to add the example below to the
document.
-g
> -----Original Message-----
> From: Darren Dukes [mailto:ddukes@cisco.com]
> Sent: Thursday, March 13, 2003 1:20 PM
> To: Geoffrey Huang; ipsec@lists.tislabs.com
> Cc: Charlie Kaufman
> Subject: RE: Using config mode together with extended authentication
>
>
> In the scenario you mention the CP is sent before SAi2 and
> SAr2. So the
> initiator sends CP(CFG_REQUEST) in the first IKE_AUTH exchange and the
> responder sends CP(CFG_REPLY) in the last IKE_AUTH exchange.
> Using the EAP
> example from the IKEv2-05 draft and inserting CP it would
> look like this...
>
> Initiator Responder
> ----------- -----------
> HDR, SAi1, KEi, Ni -->
> <-- HDR, SAr1, KEr, Nr, [CERTREQ]
> HDR, SK {IDi, [CERTREQ,] [IDr,]
> [CP], SAi2, TSi, TSr} -->
> <-- HDR, SK {IDr, [CERT,] AUTH,
> EAP }
> HDR, SK {EAP, [AUTH] } -->
> <-- HDR, SK {EAP, [AUTH],
> [CP], SAr2, TSi, TSr }
>
>
> Charlie, could you add the CP payloads to the example for EAP
> so this is
> clearer?
>
> Darren
>
>
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Geoffrey Huang
> > Sent: Thursday, March 13, 2003 3:08 PM
> > To: ipsec@lists.tislabs.com
> > Subject: Using config mode together with extended authentication
> >
> >
> > I've looked over the sections regarding EAP/XAuth and Config mode in
> > IKEv2-05, and there are packet descriptions in each section
> describing
> > what IKE looks like if either one is used. But what
> happens if you do
> > the cfg request and EAP? Based on the EAP description, the
> responder
> > sends an EAP request in the 4th message, starting off an
> EAP exchange.
> >
> > But the Cfg Request description says that the initiator sends a CP
> > payload before the SAi2 payload. Does this mean that if we
> do both CP
> > and EAP it looks like:
> >
> > INIT RESPO
> > msg1 ---->
> > <---- msg2
> > msg3+CP ---->
> > <---- msg4+EAP
> > EAP ---->
> > <---- CP reply, etc.
> >
> > Maybe it's described in the document, and I just missed it.
> >
> > -g
> >
>
>