Re: [Ipsec] Number of Proposals in IKE_SA_INIT exchange for IKE_SAandfirst CHILD_SA ??

["Srinivasa Rao Addepalli" <srao@intotoinc.com>]

> 
> How may proposals Initiator will send in the first exchange i.e.,
> IKE_SA_INIT

There are two initial exchanges. One is IKE_SA_INIT and another
IKE_AUTH.  In IKE_SA_INIT, you can only have SA payload
for creating IKE SA. You can send multiple proposals with multiple
transforms.  But, they all used to create IKE SA.

>  If Initiator wants to make two SAs i.e., IKE_SA and first
> CHILD_SA(piggybacked with IKE_SA) having same cryptographic suite.

 SAs correspond to IPSec (Child SA) are sent/received as part
of IKE_AUTH exchange. They are different from SAs that are sent in 
IKE_SA_INIT.

If an administrator wants same cryptographic algorithms between these
two SAs, he needs to configure same using his management station. 
As far as protocol is concerned, they are sent as two different SA payloads
in different exchanges.


> 
> Or we can say 
> A  single proposal for IKE_SA is sufficed for first CHILD_SA. If
> CHILD_SA uses the same cryptographic suite as of IKE_SA.
> 
> Any comments/answers will be highly appreciated.
> 
> wadood
> 
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec