[Swan-dev] can an IKEv1 aggressive initial request contain a cert?

Paul Wouters paul at nohats.ca
Thu Mar 5 17:50:00 UTC 2020

On Thu, 5 Mar 2020, Andrew Cagney wrote:

> Reading the RFC, I can see CERT in:
> - the aggressive initial response
> - the second aggressive request
> but not for the initial request (but pluto still tries to unpack it).
> However, the state machine comments:
>    /* STATE_AGGR_R0:
>     * SMF_PSK_AUTH: HDR, SA, KE, Ni, IDii
>     *           --> HDR, SA, KE, Nr, IDir, HASH_R
>     * SMF_DS_AUTH:  HDR, SA, KE, Nr, IDii
>     *           --> HDR, SA, KE, Nr, IDir, [CERT,] SIG_R
>     */
> seem to imply that it is (the code seems to deliberately allow CERT anywhere).

Note that IKEv1 (RFC 2409) does not have CERTREQ, but uses CERT for what
in IKEv2 is called CERT and CERTREQ payloads. I find one mention of
"certificate request" but no where does it explain where or in which
payload to send it.

In the above diagram though, that seems to be the real CERT (not
certificate request) payload.

But regardless, maybe best to leave this ancient code as-is ? :)


More information about the Swan-dev mailing list