Re: ISAKMP doubt

["JACK MASON" <cedarjak@webspan.net>]

Message 1 should have only the INITIATOR Cookie while Message 2
(response) should have both INITIATOR and RESPONDER Cookies.
You shouldn't reject the 'response' if it only has one cookie, it's not
a response but an initial phase 1 message.
	While it isn't standard practice, if we detect a corresponding
initiation between our own devices we drop the one with the higher
IP address, although establishing two SAs shouldn't hurt, especially
if they're short term.
					Jack

----------
> From: N. Muralidhar <nmdhara@broadpac.com>
> To: IPsec mailing list <ipsec@lists.tislabs.com>
> Subject: ISAKMP doubt
> Date: Tuesday, May 09, 2000 2:03 PM
> 
> Hi all,
> I'm having two devices (X & Y) using IKE with main mode with a pre
> shared key as Phase 1 and Quick mode as Phase 2. One of them (X) comes
> up little earlier than the other (Y) and both of them find out that a
> Phase 1 has to be established with the other device. Both (X & Y) are
> receiving and sending on port 500. Since X came up little earlier, the
> packet containing <HDR,SA> was not received by Y. Later Y sends a packet
> containing <HDR, SA> with Y as the initiator. X drops this packet from Y
> considering it as the response to it's first packet. Later Y drops the
> retransmitted packet sent by X in a similar fashion. In this way X & Y
> are not converging and are not able to establish Phase 1. Is there a way
> to solve this problem or Is it that I'm missing something which is very
> basic?
> 
> Regards,
> Narasimha Murali

---

• Prev by Date: Re: ISAKMP doubt
• Next by Date: TAHI IPv6 and IPsec conformance test suites and reports
• Prev by thread: Re: ISAKMP doubt
• Next by thread: TAHI IPv6 and IPsec conformance test suites and reports
• Index(es):
  • Main
  • Thread