[strongSwan-dev] INVALID_SPI notify payload

Tobias Brunner tobias at strongswan.org
Fri Nov 12 16:47:07 CET 2021

Hi Jean-Francois,

> When receiving an informational packet with a notify payload for 
> INVALID_SPI, the initiator SPI of the IKE header can be 0 
> (https://www.rfc-editor.org/rfc/rfc4718#section-7.7).

Please refer to RFC 7296 for IKEv2, this clarification has been 
incorporated into section 1.5 there.

> However when 
> building without mediation support, this kind of IKE header is rejected. 
> Maybe this check can delayed for later for INFORMATIONAL exchange when 
> the next payload was parsed.
> Any thought about this ?

We currently don't support INVALID_SPI notifies at all (or parsing 
unprotected INFORMATIONAL requests outside of an IKE_SA for that 
matter), so I don't see the need to change anything at the moment.


More information about the Dev mailing list