V Jyothi-B22245 writes: > I find an issue in case of minimal implementations. > Minimal implementations may not support CREATE_CHILD_SA exchanges, CHILD > SA gets created as part of AUTH exchange.
Minimal implementation most likely do not understand SINGLE_PAIR_REQUIRED either, so it will most likely simply get the IKE SA up, and then delete it as it does not have any useful things to do with it. > In this case, if the responder sends SINGLE_PAIR_REQUIRED, minimal > implementations cannot start CREATE_CHILD_SA exchange and minimal > implementation should not establish IKE SA because CHILD SA is not yet > established and it may not be right solution to maintain the > SINGLE_PAIR_REQUIRED notify reception information to use it in new IKEv2 > exchange. Even the minimal implementation is required to set up the IKE SA even when the Child SA exchange in the IKE_AUTH failed: ---------------------------------------------------------------------- 1.2. The Initial Exchanges ... If creating the Child SA during the IKE_AUTH exchange fails for some reason, the IKE SA is still created as usual. ---------------------------------------------------------------------- So the IKE SA is up, but the next question is what the minimal implementation can do next. If it does not support CREATE_CHILD_SA and it does not have Child SA up, it will most likely tear down the IKE SA by sending delete notification. If it is really minimal implementation, then it most likely does not have any special handling for SINGLE_PAIR_REQUIRED, and it might not even support such traffic selectors (or they might not be allowed by policy), so most likely some kind of policy change is required before it can connect to the server. In this case the IKEv2 does not always fix mismatched policy situations automatically, and policy needs to be changed manually. I do not consider this a problem. > Instead initiator can try sending AUTH request with single traffic > selectors. If it does that, it needs to start from the beginning i.e. from IKE_SA_INIT as the previous IKE SA is already up and running, and it cannot have any more IKE_AUTH exchanges, as one of them is already finished. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
