Addepalli Srini-B22160 wrote:
Hi Vijay,
Vijay> No. The client must start using the new gateway.
I think that MUST is strong word and "SHOULD" is okay.
In any case, this clarity should be there in the text I mentioned
before.
When the REDIRECT is received during the IKE_SA_INIT exchange, the IKEv2
SA is not created. Is it enough if I say, the IKEv2 SA is not created?
This implies the client cannot continue using the current gateway.
Vijay
Thanks
Srini
-----Original Message-----
From: Vijay Devarapalli [mailto:[email protected]]
Sent: Wednesday, March 18, 2009 11:36 AM
To: Addepalli Srini-B22160
Cc: IPsecme WG
Subject: Re: Behavior of VPN Gateway when Client does not accept/ignores
REDIRECT notification
Addepalli Srini-B22160 wrote:
From the draft, it is not clear on the VPN Responder behavior if
Initiator proceeds with SA establishment even after receiving
"REDIRECT"
notification from the VPN Gateway.
Draft indicates following:
When the VPN client receives the IKE_SA_INIT response with the
REDIRECT payload, it initiates a new IKE_SA_INIT exchange with the
VPN gateway listed in the REDIRECT payload. The VPN client
includes
the IP address of the original VPN gateway that redirected the
client. The IKEv2 exchange then proceeds as normal with the
selected
VPN gateway.
I believe that VPN gateway should not stop Client proceeding further
with IKE negotiation even after it sends the REDIRECT notification in
response to IKE_SA_INIT message.
No. The client must start using the new gateway.
Vijay
If that is what is intended, it is good
if above text clarifies that further.
Thanks
Srini
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
