Hi Gaurav. In IKEv2, we don't call them cookies any more, but IKE SPIs. Since you're initiating, you start with just the initiator IKE SPI (not a pair), and the message ID for the first message is zero, not 1.
IKE SA INIT messages always have message ID zero. I would bet that many implementations rely on this. So you should really use a new initiator IKE SPI. Yoav On Dec 17, 2010, at 8:05 PM, Gaurav Poothia wrote: Hello, Re: Part of RFC 5996 Sec 1.2 that talks about DH retry in the case initiator guesses the wrong DH group in SA INIT It’s not clear to me whether the expectation is for the second SA INIT attempt (this time with the DH group hinted at by peer) can start afresh with a new IKE cookie pair (message ID 1) OR If it must retain the existing cookie pair (message ID 2) AFAICT either way is acceptable since both achieve the same end. The former seems slightly easier. Pls correct me though if one approach is strictly the right way. If so then why. Thanks <ATT00002..txt>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec