[Swan-dev] can an IKEv1 aggressive initial request contain a cert?

Andrew Cagney andrew.cagney at gmail.com
Thu Mar 5 17:02:29 UTC 2020

Reading the RFC, I can see CERT in:

- the aggressive initial response
- the second aggressive request

but not for the initial request (but pluto still tries to unpack it).
However, the state machine comments:

    /* STATE_AGGR_R0:
     * SMF_PSK_AUTH: HDR, SA, KE, Ni, IDii
     *           --> HDR, SA, KE, Nr, IDir, HASH_R
     * SMF_DS_AUTH:  HDR, SA, KE, Nr, IDii
     *           --> HDR, SA, KE, Nr, IDir, [CERT,] SIG_R

seem to imply that it is (the code seems to deliberately allow CERT anywhere).


More information about the Swan-dev mailing list