Hi, Dharma. This mailing list is intended for discussion of standards, not the conformance (or lack thereof) of particular implementations.
I will contact you off-list Yoav From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of dharmanandana pothulam Sent: Tuesday, September 09, 2014 7:24 PM To: ipsec@ietf.org Cc: Sameer varshney; Liangjicheng Subject: [IPsec] IKEv1 Interop issue: Transform number mismatch Hi All, We are facing one IKEv1 interop issue. The issue is that Responder (checkpoint SeGW) not retaining the transform numbers received from the initiator (huawei base station), SeGW replies with its own transform number. IKEv1 First & second packets: Initiator Responder ------------- ------------- VID, SA ------------------------------> (1) <----------------------------- VID, SA (2) In our scenario, Huawei base station(Initiator) sending transform number as 0 and Checkpoint security gateway(Responder) is replying with 1, And Initiator trying to match transform number received from the responder with one of the numbers sent initially and negotiation failing due to mismatch. We did Interop test with Cisco and Juniper, Cisco and Juniper is retaining the transform numbers sent by the Huawei base station, and negotiation successful. Huawei base station compares received transform number with one of the transform numbers sent initially along with other attributes, this is inline with the RFC 2408 section 4.2 statement (The initiator MUST verify that the Security Association payload received from the responder matches one of the proposals sent initially). One more point rfc says "The responder SHOULD retain the Proposal # field in the Proposal payload and the Transform # field in each Transform payload of the selected Proposal". As I understand This transform number helps to direct to the correct SA attributes in initiator side. why some vendors not retaining the transform number sent by initiator? if not followed, Do we see usefulness of the transform number received at initiator side? Can we drop the exchange if correct transform number not received? Regards, Dharma. Email secured by Check Point. Email secured by Check Point
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
