[strongSwan-dev] Need clarification on INVALID-ID-INFORMATION notify message of quickmode negotiation
Tobias Brunner
tobias at strongswan.org
Thu Nov 8 14:35:22 CET 2018
Hi Hussaina,
> strongSwan sends INVALID-ID-INFORMATION notification. However the SPI value is set to 0, though the spi length is set to 4 in the notification payload.
I see, you were referring to the SPI in the Notify payload. That's not
relevant here. Let me quote section 3.14 of RFC 2408, which should also
answer the following question:
> How can initiator map this notification payload to any IKE SA without the SPI information ?
SPI Size (1 octet) - Length in octets of the SPI as defined by
the Protocol-Id. In the case of ISAKMP, the Initiator and
Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
therefore, the SPI Size is irrelevant and MAY be from zero (0) to
sixteen (16). If the SPI Size is non-zero, the content of the
SPI field MUST be ignored.
Regards,
Tobias
More information about the Dev
mailing list