>From the draft, it is not clear on the VPN Responder behavior if Initiator proceeds with SA establishment even after receiving "REDIRECT" notification from the VPN Gateway.
Draft indicates following: When the VPN client receives the IKE_SA_INIT response with the REDIRECT payload, it initiates a new IKE_SA_INIT exchange with the VPN gateway listed in the REDIRECT payload. The VPN client includes the IP address of the original VPN gateway that redirected the client. The IKEv2 exchange then proceeds as normal with the selected VPN gateway. I believe that VPN gateway should not stop Client proceeding further with IKE negotiation even after it sends the REDIRECT notification in response to IKE_SA_INIT message. If that is what is intended, it is good if above text clarifies that further. Thanks Srini _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
