At 5:38 PM +0530 3/31/09, Kalyani Garigipati (kagarigi) wrote:
>Hi,
>
>Please clarify the following.
>
>On the responder , if creating the Child SA during the IKE_AUTH request
>processing fails for some reason like NO_PROPOSAL_CHOSEN,
>TS_UNACCEPTABLE, SINGLE_PAIR_REQUIRED,INTERNAL_ADDRESS_FAILURE, and
>FAILED_CP_REQUIRED, then should we be sending AUTH, IDr and CERT
>payloads as usual in AUTH response ?
>
>Something like below flow.
>
>
>HDR, SK {IDi, [CERT,] [CERTREQ,]
> [IDr,] AUTH, SAi2,
> TSi, TSr} -->
>
> <-- HDR, SK {IDr, [CERT,] AUTH,
> N[TS_UNACCEPTABLE]}
Yes, you need to be sending IDr and AUTH. CERT is already optional, and I don't
think anyone would be surprised if you didn't send it during the failure case.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
