[Swan-dev] can an IKEv1 aggressive initial request contain a cert?
Andrew Cagney
andrew.cagney at gmail.com
Thu Mar 5 17:02:29 UTC 2020
Reading the RFC, I can see CERT in:
- the aggressive initial response
- the second aggressive request
but not for the initial request (but pluto still tries to unpack it).
However, the state machine comments:
/* STATE_AGGR_R0:
* SMF_PSK_AUTH: HDR, SA, KE, Ni, IDii
* --> HDR, SA, KE, Nr, IDir, HASH_R
* SMF_DS_AUTH: HDR, SA, KE, Nr, IDii
* --> HDR, SA, KE, Nr, IDir, [CERT,] SIG_R
*/
seem to imply that it is (the code seems to deliberately allow CERT anywhere).
Andrew
More information about the Swan-dev
mailing list