[strongSwan-dev] Need clarification on INVALID-ID-INFORMATION notify message of quickmode negotiation

Tobias Brunner tobias at strongswan.org
Thu Nov 8 14:35:22 CET 2018

Hi Hussaina,

> strongSwan sends INVALID-ID-INFORMATION notification. However the SPI value is set to 0, though the spi length is set to 4 in the notification payload.

I see, you were referring to the SPI in the Notify payload.  That's not
relevant here.  Let me quote section 3.14 of RFC 2408, which should also
answer the following question:

> How can initiator map this notification payload to any IKE SA without the SPI information ?

  SPI Size (1 octet) - Length in octets of the SPI as defined by
  the Protocol-Id.  In the case of ISAKMP, the Initiator and
  Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
  therefore, the SPI Size is irrelevant and MAY be from zero (0) to
  sixteen (16).  If the SPI Size is non-zero, the content of the
  SPI field MUST be ignored.


More information about the Dev mailing list