Professional Documents
Culture Documents
1
2
3
4
5
6
7
8
9
SA1i Suite of cryptographic proposals for the IKE SA
KEi Initiatior public factor for the Diffie-Hellman Key Exchange
Ni Initiator Nonce
IDi Initiator ID
Certi Initiator Certificate (optional)
IDr Desired Responder ID (optional)
Authi Initiator Authentication (RSA, PSK, or EAP)
SA2i Suite of cryptographic proposals for the Child SA (ESP and/or AH)
TSi Initiator Traffic Selectors (subnets behind the Initiator)
TSr Responder Traffic Selectors (subnets behind the Responder)
IDr Responder ID
Certr Responder Certificate (optional)
Authr Responder Authentication (RSA, PSK, or EAP)
SA2r Selection of a cryptographic proposal for the Child SA (ESP and/or AH)
TSi Initiator Traffic Selectors (subnets behind the Initiator, optional narrowing)
TSr Responder Traffic Selectors (subnets behind the Responder, optional narrowing)
10
11
N Rekeying Notification (optional)
SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH)
Ni Initiator Nonce
KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS)
TSi Initiator Traffic Selectors (subnets behind the Initiator)
TSr Responder Traffic Selectors (subnets behind the Responder
12
13
14
15
16
17
18
N Rekeying Notification (optional)
SAi Suite of cryptographic proposals for the Child SA (ESP and/or AH)
Ni Initiator Nonce
KEi Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS)
TSi Initiator Traffic Selectors (subnets behind the Initiator)
TSr Responder Traffic Selectors (subnets behind the Responder
19
20
21
22
23
24
25
Dead Peer Detection
• If Dead Peer Detection (DPD) is activated then the peer is polled every dpddelay seconds
by sending an IKEv2 INFORMATIONAL request message if no inbound ESP or IKE
activity was detected during the previous dpddelay interval. Typical values for dpddelay
are 30-60 seconds but if the IKEv2 Mobility and Multihoming (MOBIKE) protocol is used
where quite some time can elapse until a new network interface appears then dpddelay
should be increased to 5 minutes.
• If no matching IKEv2 INFORMATIONAL response is received, the regular retransmission
scheme for IKEv2 packets is applied and if still no response arrives after about 5 retries
over 2-3 minutes, the peer is declared dead and the IKE SA and all attached all CHILD
SAs are deleted.
26