[strongSwan] INITIAL_CONTACT notification in responder mode
Maganti, Pavan (NSN - IN/Bangalore)
pavan.maganti at nsn.com
Wed Jan 28 15:42:49 CET 2015
RFC 5996 says this about INITIAL_CONTACT:
The INITIAL_CONTACT notification asserts that this IKE SA is the only
IKE SA currently active between the authenticated identities. It MAY
be sent when an IKE SA is established after a crash, and the
recipient MAY use this information to delete any other IKE SAs it has
to the same authenticated identity without waiting for a timeout.
This notification MUST NOT be sent by an entity that may be
replicated (e.g., a roaming user's credentials where the user is
allowed to connect to the corporate firewall from two remote systems
at the same time). The INITIAL_CONTACT notification, if sent, MUST
be in the first IKE_AUTH request or response, not as a separate
exchange afterwards; receiving parties MAY ignore it in other
My question is whether INITIAL_CONTACT notification can be sent in IKE_AUTH response?
If yes, in which condition this notification will be sent by responder?
Could you please clarify?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users