[strongSwan] INITIAL_CONTACT notification in responder mode

Pavan Maganti pavansanjay at gmail.com
Thu Jan 29 06:23:24 CET 2015


RFC 5996 says this about INITIAL_CONTACT:

  The INITIAL_CONTACT notification asserts that this IKE SA is the only

   IKE SA currently active between the authenticated identities.  It MAY

   be sent when an IKE SA is established after a crash, and the

   recipient MAY use this information to delete any other IKE SAs it has

   to the same authenticated identity without waiting for a timeout.

   This notification MUST NOT be sent by an entity that may be

   replicated (e.g., a roaming user's credentials where the user is

   allowed to connect to the corporate firewall from two remote systems

   at the same time).  The INITIAL_CONTACT notification, if sent, MUST

   be in the first IKE_AUTH request or response, not as a separate

   exchange afterwards; receiving parties MAY ignore it in other


My question is whether INITIAL_CONTACT notification can be sent in IKE_AUTH

If yes, in which condition this notification will be sent by responder?

Could you please clarify?

Pavan M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150129/10fee0ef/attachment.html>

More information about the Users mailing list