[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP doubt

To: nmdhara@broadpac.com
Subject: Re: ISAKMP doubt
From: Vipul Gupta <Vipul.Gupta@Eng.Sun.COM>
Date: Tue, 9 May 2000 11:34:40 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
Reply-To: Vipul Gupta <Vipul.Gupta@Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com


> Date: Tue, 09 May 2000 11:03:59 -0700
> From: "N. Muralidhar" <nmdhara@broadpac.com>
> X-Accept-Language: en
> MIME-Version: 1.0
> To: IPsec mailing list <ipsec@lists.tislabs.com>
> Subject: ISAKMP doubt
> Content-Transfer-Encoding: 7bit
> 
> Hi all,
> I'm having two devices (X & Y) using IKE with main mode with a pre
> shared key as Phase 1 and Quick mode as Phase 2. One of them (X) comes
> up little earlier than the other (Y) and both of them find out that a
> Phase 1 has to be established with the other device. Both (X & Y) are
> receiving and sending on port 500. Since X came up little earlier, the
> packet containing <HDR,SA> was not received by Y. Later Y sends a packet
> containing <HDR, SA> with Y as the initiator. X drops this packet from Y
> considering it as the response to it's first packet.

  X should not do this. When Y sends its first packet, the responder cookie
  field in the ISAKMP header is empty indicating it is the start of
  a new Phase I negotiation rather than a reply. The implementation
  on X seems broken.
  
  vipul
  
> Later Y drops the
> retransmitted packet sent by X in a similar fashion. In this way X & Y
> are not converging and are not able to establish Phase 1. Is there a way
> to solve this problem or Is it that I'm missing something which is very
> basic?
> 
> Regards,
> Narasimha Murali
>

Prev by Date: ISAKMP doubt
Next by Date: Re: ISAKMP doubt
Prev by thread: ISAKMP doubt
Next by thread: Re: ISAKMP doubt
Index(es):
- Main
- Thread