Hi Prashant,
As per RFC 5996, Initiator sending AUTHENTICATION_FAILED would be sufficient
in case of peer's authentication failure:
Sec. 2.21.2 Error Handling in IKE_AUTH
...
If the error occurs on the initiator, the notification MAY be
returned in a separate INFORMATIONAL exchange, usually wit
Thanks Scott,
I also prefer sending the AUTHENTICATION FAILED and a DELETE PAYLOAD,
so as to ensure that the peer deletes the ipsec tunnel from the SADB (as
it would have already added the tunnel in SADB, after sending the
AUTH_RESPONSE).
But, to second you, most implementations would delete
Hi Prashant.
> 1) If in IKE_AUTH request message initiator sends a ID_R
> payload(optional) specifying a particular peer identity, and the
> responder
> sends some different identity in the ID_R payload, what should be the
> behavior? Should we send a AUTHENTICATION failure message,
> or except t
Hi,
I have 2 doubts regarding IKEv2,
1) If in IKE_AUTH request message initiator sends a ID_R
payload(optional) specifying a particular peer identity, and the
responder
sends some different identity in the ID_R payload, what should be the
behavior? Should we send a AUTHENTICATION failure message
