From f883cd6df6d3d1471ea1249fb3189b6e8c5c29d0 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 31 Aug 2016 11:44:11 +0200
Subject: [PATCH] swanctl: Document how DH groups in CHILD_SA proposals are
 applied

References #1039.
---
 src/swanctl/swanctl.opt | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index fe5b293fb..15cbc6cfc 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -472,7 +472,7 @@ connections.<conn>.children.<child>.ah_proposals =
 	For AH, this includes an integrity algorithm and an optional Diffie-Hellman
 	group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
 	negotiation uses a separate Diffie-Hellman exchange using the specified
-	group.
+	group (refer to _esp_proposals_ for details).
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per
@@ -495,11 +495,18 @@ connections.<conn>.children.<child>.esp_proposals = default
 	mode algorithm is used instead of the separate encryption/integrity
 	algorithms.
 
-	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-	IKE_AUTH piggybacked) negotiation uses a separate Diffie-Hellman exchange
-	using the specified group. Extended Sequence Number support may be indicated
-	with the _esn_ and _noesn_ values, both may be included to indicate support
-	for both modes. If omitted, _noesn_ is assumed.
+	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
+	negotiation use a separate Diffie-Hellman exchange using the specified
+	group. However, for IKEv2, the keys of the CHILD_SA created implicitly with
+	the IKE_SA will always be derived from the IKE_SA's key material. So any DH
+	group specified here will only apply when the CHILD_SA is later rekeyed or
+	is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch
+	might, therefore, not immediately be noticed when the SA is established, but
+	may later cause rekeying to fail.
+
+	Extended Sequence Number support may be indicated with the _esn_ and _noesn_
+	values, both may be included to indicate support for both modes. If omitted,
+	_noesn_ is assumed.
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per