[strongSwan] INITIAL_CONTACT notification in responder mode

Maganti, Pavan (NSN - IN/Bangalore) pavan.maganti at nsn.com
Wed Jan 28 15:42:49 CET 2015


RFC 5996 says this about INITIAL_CONTACT:
  The INITIAL_CONTACT notification asserts that this IKE SA is the only
   IKE SA currently active between the authenticated identities.  It MAY
   be sent when an IKE SA is established after a crash, and the
   recipient MAY use this information to delete any other IKE SAs it has
   to the same authenticated identity without waiting for a timeout.
   This notification MUST NOT be sent by an entity that may be
   replicated (e.g., a roaming user's credentials where the user is
   allowed to connect to the corporate firewall from two remote systems
   at the same time).  The INITIAL_CONTACT notification, if sent, MUST
   be in the first IKE_AUTH request or response, not as a separate
   exchange afterwards; receiving parties MAY ignore it in other

My question is whether INITIAL_CONTACT notification can be sent in IKE_AUTH response?
If yes, in which condition this notification will be sent by responder?

Could you please clarify?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/2ff6ea87/attachment.html>

More information about the Users mailing list