ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: RE: [IPsec] CHILD_SA and PFS

RE: [IPsec] CHILD_SA and PFS

From: <Pasi.Eronen_at_nospam>
Date: Tue Nov 20 2007 - 11:07:39 GMT
To: <rcharlet@nortel.com>, <cnguyen@certicom.com>, <ipsec@ietf.org>

Ricky Charlet wrote:

> Hi Pasi,
> Does this still leave a true IKEv2 protocol problem for environments
> which wish to configure separate DH groups for IKE and IPsec SAs and
> also have reasons (NAT / remote-access) to configure the peers as
> initiator/responder only?
> If the answer is "if you need to configure initiator/responder
> only then you have to adminstrativly ensure that your PFS policy
> uses the same DH group for both IKE and IPsec" that would be fine
> (with me). I'm just not yet clear if that is what you are saying.

Well, the answer is that "if you want to do PFS, you need to configure the initiator and the responder so that they have at least one acceptable DH group in common".

This is the case even with the protocol changes Chinh is proposing. The difference is only at what time the policy mismatch is detected and the connection is torn down (until the administrator changes the configuration).

Best regards,

IPsec mailing list