Hi, RFC 5996 says this about INITIAL_CONTACT: The INITIAL_CONTACT notification asserts that this IKE SA is the only IKE SA currently active between the authenticated identities. It MAY be sent when an IKE SA is established after a crash, and the recipient MAY use this information to delete any other IKE SAs it has to the same authenticated identity without waiting for a timeout. This notification MUST NOT be sent by an entity that may be replicated (e.g., a roaming user's credentials where the user is allowed to connect to the corporate firewall from two remote systems at the same time). The INITIAL_CONTACT notification, if sent, MUST be in the first IKE_AUTH request or response, not as a separate exchange afterwards; receiving parties MAY ignore it in other messages.
My question is whether INITIAL_CONTACT notification can be sent in IKE_AUTH response? If yes, in which condition this notification will be sent by responder? Could you please clarify? Regards, Pavan
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
