pasi.ero...@nokia.com writes: > Anyone else in the WG care to comment? If the gateway sends REDIRECT > in the last IKE_AUTH response, can the client ignore it and continue > using the IKE_SA?
I did assume that, as the IKE SA was created completely, and it is usable. Of course client should follow the redirection and delete the IKE SA after that is finished, but there is nothing which results the IKE SA to be unusable in that case. > (REDIRECT during IKE_SA_INIT clearly cannot be ignored by the > client; at least, it cannot continue the IKE negotiation.) Same goes for the REDIRECT during the IKE_AUTH if redirection is done based on the unauthenticated identity (i.e. IKE SA is not finished). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
