Dear All, I'm in charge of developing VPN Clients based on IKEv2 and IPSec.
We referred to the implementation of strongswan and RFC documents such as 4306 and 4718. While developing, we faced one question about complexing of Traffic Selectors. According to the RFC 4718, complexing of TSi and TSr which have same protocol IDs are defined and clarified. However, in the case when TSi is (17 (udp) any any) and TSr is (ip any any) where protocol IDs are different, should VPN complex TSi and TSr? According to the implementation of strongswan, we could find the fact that the strongswan is checking when complexing the TSi and TSr as follows : 1) remove the policy which has different protocol IDs for TSi and TSr as long as both of them are not "ANY" 2) follow the protocol which is not "ANY" if one of TSi and TSr is "ANY" According to my analysis, following examples can be possible : - ANY & ANY yields ANY - ANY & UDP yields UDP - UDP & UDP yields UDP - TCP & UDP <-- remove this case Does above implementation of strongswan follow the standards? If so, we're planning to implement the way the strongswan supports. I'm looking forward to all of the experts' responses. My Best Regards, Jaemin Park -- Park, Jae Min Assistant Manager Device R&D Center , Convergence WIBRO BU, KT M : +82-10-3010-2658 T : +82-2-2010-9255 jmp...@kt.com, jmpar...@gmail.com
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
