In section 2 it says:
Note that IKEv2 and IPsec session do not need to be on the same node
as IKEv2 and IPsec context are different.
This is not so easy. The RFC5996 says:
----------------------------------------------------------------------
2.4. State Synchronization and Connection Timeouts
...
An implementation needs to stop sending over any SA if
some failure prevents it from receiving on all of the associated SAs.
If a system creates Child SAs that can fail independently from one
another without the associated IKE SA being able to send a delete
message, then the system MUST negotiate such Child SAs using separate
IKE SAs.
----------------------------------------------------------------------
I.e. if any of the IPsec SAs fail, then all of IPsec SAs created using
same IKE SA, and the IKE SA must also fail. If IPsec SAs and IKE SA
are on separate nodes, that do set up new kind of requirements for
those nodes. I.e. if one node having IPsec SAs fails, the node having
IKE SA needs to detect this, and send delete notification for each
IPsec SA that were in that node. Also if the node having the IKE SA
will fail, then all the IPsec SAs associated with that IKE SA, must
stop sending, i.e. they needs to be destroyed.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
