Hi, With IKEv1, when strongSwan(as responder) sends INVALID-ID-INFORMATION for IDii/IDir mismatch, it does not send SPI value of IKE SA. However, it sends 0 SPI in the quickmode negotiation along with HASH payload and N(INVALID-ID-INFORMATION). As per https://tools.ietf.org/html/rfc2408#section-2.4, this response message should under line no(4). I think, line(5) is for KE/ID payloads of main mode.
Can someone clarify, whether strongSwan should send valid SPI with the N(INVALID-ID-INFORMATION) or not ? # Operation I-Cookie R-Cookie Message ID SPI (1) Start ISAKMP SA negotiation X 0 0 0 (2) Respond ISAKMP SA negotiation X X 0 0 (3) Init other SA negotiation X X X X (4) Respond other SA negotiation X X X X (5) Other (KE, ID, etc.) X X X/0 NA (6) Security Protocol (ESP, AH) NA NA NA X Here is the snip of the packet trace (strongSwan peer is 1.1.5.100) – IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len= 216, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len= 148, mID=00000000, HDR, SA, Vid, Vid, Vid IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len= 356, mID=00000000, HDR, KE, Nonce, PRV, PRV IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len= 372, mID=00000000, HDR, KE, Nonce, PRV, PRV IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len= 92, mID=00000000, HDR, ID, HASH, N(INITIAL_CONTACT) IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len= 76, mID=00000000, HDR, ID, HASH IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len= 460, mID=8956a6b8, HDR, HASH, SA, Nonce, KE, ID, ID IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len= 76, mID=bd816a46, HDR, HASH, N(INVALID_ID_INFORMATION) Thanks & Regards, Hussaina N.
