Hi Divya, > Subsequent packets uses these cookies, till an IKE_SA rekey happens at > packet #53, in CREATE_CHILD_SA.
> My understanding is that the cookie values should change only when > IKE_SA rekey happens, in a CREATE_CHILD_SA packet. The CREATE_CHILD_SA exchange to rekey an IKE_SA takes place under the old IKE_SA. Hence the CREATE_CHILD_SA exchange, and the following INFORMATIONAL exchange to delete the old IKE_SA, both use the SPIs of the old IKE_SA (under IKEv2 we name these SPIs, COOKIE has a different meaning with IKEv2). The SPIs of the new IKE_SA are used for any subsequent exchanges on the new IKE_SA, whatever that is. Most likely it is a INFORMATIONAL exchange for DPD checking. Refer to RFC 5996 for more details how IKE_SA rekeying works. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
