Matthew,
It has to be Case #2. No where in the CREATE_CHILD_SA - IKE_SA Rekey
exchange do you update to the other endpoint the new CHILD_SA SPIs -
without exchanging the CHILD_SA SPIs, you'll most definitely run into
interoperability issues, namely you'll start black holing traffic. As a
re
Matt,
In respect to a Notify ERROR TYPES & the IKE_AUTH response with IDr,
[CERT+] & AUTH payload inclusion, NO_PROPOSAL_CHOSEN,
SINGLE_PAIR_REQUIRED, TS_UNACCEPTABLE and NO_ADDITIONAL_SAS are Notify
ERROR TYPES that would generally still include the IDr, [CERT+] & AUTH
payload in the respon
