Hi Ramu,
You can have a middle router between two ike peers. 1. Establish the ike and ipsec sa 2. Make one of the interfaces on middle router as down. 3. Then ensure ike/ipsec rekey happens simultaneously on both the routers. Since the middle router is down, the packets are don't reach peer, but are retransmitted. 4. Now make the interface up. The ike /ipsec rekey packets cross each other. And simulatenous rekey happens. Regards, Kalyani From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of B Rampullaiah-B22344 Sent: Friday, July 22, 2011 5:35 PM To: ip...@ietfa.amsl.com Subject: [IPsec] Need Info related to simultaneous rekey of IKE/IPSec SAs. Hi, I need some information for the simulation of the following cases related to IKEV2 Exchange Collision Mechanism Implementation as per the RFC-4718. 1. When the host receives a request to rekey - a CHILD_SA pair that the host is currently rekeying: Reply as usual, but prepare to close redundant SAs later based on the nonces. 2. When the host receives a request to rekey - the IKE_SA, and the host is currently rekeying the IKE_SA: Reply as usual, but prepare to close redundant SAs and move inherited CHILD_SAs later based on the nonces. 3. If a host receives a request to create or rekey a CHILD_SA when it is currently rekeying the IKE_SA: Reply with NO_ADDITIONAL_SAS. How to simulate the simultaneous rekeying of IKE/IPSec SAs? Regds, Ramu.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec