[Openswan Users] backward compatblity of ikev2

Paul Wouters paul at xelerance.com
Wed Feb 10 13:25:18 EST 2010

On Wed, 10 Feb 2010, nikhil mittal wrote:

> i would like to know that, does ikev2 provide backward compatibility. to elaborate my query if we have two
> machines, one configured with ikev1 and another with ikev2, can they establish SA between them.
> I know that messages exchanged during phase one of v1 and v2 are different, and that should cause problem.
> I haven't tested it tough.
> Anybody with firm answer please do reply

It depends on how you configure it. See the ikev2 option in the man page for ipsec.conf.
But basically, you can choose whether to accept ikev2 and/or ikev1. If you allow both,
then Openswan does some protection against bid-down attacks (if the other end is also
openswan, or supports the CANIKEv2 vendor id in their ikev1 implementation)


More information about the Users mailing list