Hi Ramu,
You can have a middle router between two ike peers.
1. Establish the ike and ipsec sa
2. Make one of the interfaces on middle router as down.
3. Then ensure ike/ipsec rekey happens simultaneously on both the
routers. Since the middle router is down, the packets are don't reach
peer, but are retransmitted.
4. Now make the interface up. The ike /ipsec rekey packets cross
each other. And simulatenous rekey happens.
Regards,
Kalyani
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
Of B Rampullaiah-B22344
Sent: Friday, July 22, 2011 5:35 PM
To: ip...@ietfa.amsl.com
Subject: [IPsec] Need Info related to simultaneous rekey of IKE/IPSec
SAs.
Hi,
I need some information for the simulation of the following cases
related to IKEV2 Exchange Collision Mechanism Implementation as per the
RFC-4718.
1. When the host receives a request to rekey - a CHILD_SA pair that the
host is currently rekeying:
Reply as usual, but prepare to close redundant SAs later based on the
nonces.
2. When the host receives a request to rekey - the IKE_SA, and the host
is currently rekeying the IKE_SA:
Reply as usual, but prepare to close redundant SAs and move inherited
CHILD_SAs later based on the nonces.
3. If a host receives a request to create or rekey a CHILD_SA when it is
currently rekeying the IKE_SA:
Reply with NO_ADDITIONAL_SAS.
How to simulate the simultaneous rekeying of IKE/IPSec SAs?
Regds,
Ramu.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
