Hi,
We have a doubt regarding behavior of Responder during initial tunnel setup where IKE_AUTH request’s proposal substructure(in SA Payload) does not contain SPI for child-sa creation. >From RFC 5996 : *3.3.1* <http://tools.ietf.org/search/rfc5996#section-3.3.1>*. Proposal Substructure* 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 (last) or 2 | RESERVED | Proposal Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Proposal Num | Protocol ID | SPI Size |Num Transforms| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Transforms> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ If the above header in IKE_AUTH REQ from the Initiator, contains “SPI Size” as zero and SPI is not present, what should be the behavior of responder. *In our opinion it should return “INVALID_SYNTAX” in the notify payload of the IKE_AUTH Response with no other payload present in it*. Below is RFC reference. Again, from the RFC 5996 : 3.10.1 <http://tools.ietf.org/search/rfc5996#section-3.10.1>. Notify Message Types <snip> INVALID_SYNTAX 7 Indicates the IKE message that was received was invalid because some type, length, or value was out of range or because the request was rejected for policy reasons. <snip> Would be appreciable if someone can provide some pointer where we can confirm our understanding.. Thanks Mukesh
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
