I'm curious how IKEv2-only implementations have approached the problem of dealing with IKEv1 proposals. IKEv2 defines an INVALID_MAJOR_VERSION notify, but it only carries a maximum version and not a minimum version. (I wonder if that is an oversight.) IKEv1 (in RFC 2408) defines an INVALID-MAJOR-VERSION notify which MAY be sent. The RFC does not discuss whether the notify carries any data.
If I wanted to send an "IKEv1 not supported" indication from an IKEv2-only daemon, I think I would use the IKEv1 INVALID-MAJOR-VERSION notify and not send any SPI or notification data in the payload. How have existing IKEv2-only implementations approached this? Do you ignore IKEv1 messages, or do you send an error notification in response? Thanks, Scott Moonen ([email protected]) Secure Hybrid Cloud and z/OS Communications Server http://www.linkedin.com/in/smoonen _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
