Valery Smyslov writes:
> Yes, there is no obvious mapping between ID_KEY_ID and certificates and
> thus ID_KEY_ID is out of scope for RFC4945.
As rfc5996 describes ID_KEY_ID as
"An opaque octet stream that may be used to pass vendor-specific
information necessary to do certain proprietary types o
And this not the only contradiction between RFC5996 and RFC4945 -
the latter requires ID_IPV*_ADDR to match source IP address of IKE
packet by default, while the former explicitely allows not to do it
in any case.
RFC4945 requires that implementations "MUST be capable of verifying"
the ID_IPV*_A