Hi Vijay, That should be fine.
Thought it is obvious with this new statement, it is good to extend the description saying that if client indeed wants to connect to the same server again, it can send IKE_SA_INIT message without REDIRECT_SUPPORTED message. Thanks Srini -----Original Message----- From: Vijay Devarapalli [mailto:[email protected]] Sent: Thursday, March 19, 2009 10:25 AM To: Addepalli Srini-B22160 Cc: IPsecme WG Subject: Re: Behavior of VPN Gateway when Client does not accept/ignores REDIRECT notification Addepalli Srini-B22160 wrote: > Hi Vijay, > > Vijay> No. The client must start using the new gateway. > > I think that MUST is strong word and "SHOULD" is okay. > > In any case, this clarity should be there in the text I mentioned > before. When the REDIRECT is received during the IKE_SA_INIT exchange, the IKEv2 SA is not created. Is it enough if I say, the IKEv2 SA is not created? This implies the client cannot continue using the current gateway. Vijay > > Thanks > Srini > > > > -----Original Message----- > From: Vijay Devarapalli [mailto:[email protected]] > Sent: Wednesday, March 18, 2009 11:36 AM > To: Addepalli Srini-B22160 > Cc: IPsecme WG > Subject: Re: Behavior of VPN Gateway when Client does not accept/ignores > REDIRECT notification > > Addepalli Srini-B22160 wrote: >> From the draft, it is not clear on the VPN Responder behavior if >> Initiator proceeds with SA establishment even after receiving > "REDIRECT" >> notification from the VPN Gateway. >> >> Draft indicates following: >> >> When the VPN client receives the IKE_SA_INIT response with the >> REDIRECT payload, it initiates a new IKE_SA_INIT exchange with the >> VPN gateway listed in the REDIRECT payload. The VPN client > includes >> the IP address of the original VPN gateway that redirected the >> client. The IKEv2 exchange then proceeds as normal with the > selected >> VPN gateway. >> >> >> I believe that VPN gateway should not stop Client proceeding further >> with IKE negotiation even after it sends the REDIRECT notification in >> response to IKE_SA_INIT message. > > No. The client must start using the new gateway. > > Vijay > > If that is what is intended, it is good >> if above text clarifies that further. >> >> Thanks >> Srini >> >> > > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
