[Swan-dev] a better unified proposal matcher

Andrew Cagney andrew.cagney at gmail.com
Fri Feb 27 07:43:09 EET 2015


On 26 February 2015 at 16:08, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 26 Feb 2015, D. Hugh Redelmeier wrote:
>
>> Then I read what your parenthetcal remark.  Why would you want to
>> match ESP with DH?  How could they ever match?  I'm pretty sure that
>> I'm missing something.

>
> I think he means an ESP proposal protected by PFS (eg an additioal DH
> with KE) in the CREATE_CHIKD_SA ?

Yes.

Match an ESP proposal that includes [with] a DH transform.
In ikev2_spdb_struct.c both parent (IKE) and child (ESP,?H) have
redundant code, and no need to be dealing with v1 structures.

> similar to ikev1, where a modp on the ike line meant for Main Mode, and
> an modp on the esp line meant for additional Quick Mode's.
>
> Paul


More information about the Swan-dev mailing list