https://tools.ietf.org/html/draft-kampati-ipsecme-ikev2-sa-ts-payloads-opt-00 1) In case of IKE or ipsec rekey, when there is a change in cryptographic suite at responder, it is preferabale to send NO_PROPOSAL_CHOSEN payload by responder to the initiator. 2) In case of only ipsec rekey, it is preferable to send TS_UNACCEPTABLE payload by responder to the initiator when there is change in flow configuration(access list) at responder. 3) In the above 2 cases after receiving ERROR notify payload, initiator should perform fresh rekey by including SA and TS payloads. In addition to the suggestions mentioned by Poul, would like to add few more: 4) In case of ipsec rekey, when initiator/responder is not including SA and TS payload it is better to send CHILD_SA_TS_UNCHNGED and include new SPI value. This confirms that we are not including SA and TS payloads explicitly. If possible it is better to include old SPI value as well to avoid REKEY_SA payload. 5) In case of ipsec or IKE rekey, if initiator/responder doesn't include SA payload it is preferable to send CHILD_SA_UNCHNGED payload and include new SPI value. 6) In case of ipsec rekey, if initiator doesn't include TS payload it is preferable to send CHILD_TS_UNCHNGED. Sowjanya yeluri Cisco _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
