Matthew Cini Sarreo writes: > You still need the IDr and AUTH payloads in the reply. This is needed as > INVALID_SYNTAX is authenticated and encrypted.
INVALID_SYNTAX is fatal error meaning that other end didn't follow the protocol specification, and the IKE SA is going to be removed anyways, and there is not really point of putting AUTH payload there (it can be there, but there is no need). If the other end is not following protocol specification (i.e. is non-complient), there is not really point of trying to be nice. This is something that cannot be seen by normal customers ever, it should only be seen by the implementors when they are testing against broken implementations. So better just send error message back as it is easiest for your implementation (i.e. if it is easy to include AUTH etc to the error message, then do so, if not, then leave them out). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec