|Main Archive Page > Month Archives > ipsec archives|
Narayanan, Vidya writes:
> This gives the impression that the IP address to which the IKE_SA is
> tied is not important. That is the address that is going to serve as
> the tunnel endpoint for tunnel mode SAs and hence, has some consequence.
> I would think that typical implementations reject CREATE_CHILD_SA
> requests for rekeying an SA, sent from a different IP address than to
> which the IKE_SA is currently tied - is that not true? RFC4306 is not
> clear about this.
Check the RFC4555 instead of RFC4306. With mobike all existing IPsec SAs do get updated with new outer addresses with UPDATE_SA_ADDRESSES, so it does not matter what the outer IP adresses were when the IPsec SA was created. Also it is normal operation to get packets in with different outer address to IKE SA when using MOBIKE. This happens for example when you start to do UPDATE_SA_ADDRESSES, but can happen also with any other IKEv2 packet. This is because other end might not be able to send UPDATE_SA_ADDRESSES because it first needs to finish other ongoing exchange on the IKEv2 SA in case the window size is only 1. -- firstname.lastname@example.org _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec