Appendix C. Exchanges and Payloads
Appendix C. Exchanges and Payloads
This appendix contains a short summary of the IKEv2 exchanges, and what payloads can appear in which message. This appendix is purely informative; if it disagrees with the body of this document, the other text is considered correct.
Vendor ID (V) payloads may be included in any place in any message. This sequence here shows what are the most logical places for them.
C.1. IKE_SA_INIT Exchange
request --> [N(COOKIE),]
SA, KE, Ni,
[N(NAT_DETECTION_SOURCE_IP)+,
N(NAT_DETECTION_DESTINATION_IP),]
[V+][N+]
normal response <-- SA, KE, Nr,
(no cookie) [N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[V+][N+]
cookie response <-- N(COOKIE),
[V+][N+]
different Diffie- <-- N(INVALID_KE_PAYLOAD),
Hellman group [V+][N+]
wanted
C.2. IKE_AUTH Exchange without EAP
request --> IDi, [CERT+,]
[N(INITIAL_CONTACT),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[IDr,]
AUTH,
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[V+][N+]
response <-- IDr, [CERT+,]
AUTH,
[CP(CFG_REPLY),]
[N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
error in Child SA <-- IDr, [CERT+,]
creation AUTH,
N(error),
[V+][N+]
C.3. IKE_AUTH Exchange with EAP
first request --> IDi,
[N(INITIAL_CONTACT),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[IDr,]
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[V+][N+]
first response <-- IDr, [CERT+,] AUTH,
EAP,
[V+][N+]
/ --> EAP
repeat 1..N times |
\ <-- EAP
last request --> AUTH
last response <-- AUTH,
[CP(CFG_REPLY),]
[N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
C.4. CREATE_CHILD_SA Exchange for Creating or Rekeying Child SAs
request --> [N(REKEY_SA),]
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, Ni, [KEi,] TSi, TSr,
[V+][N+]
normal <-- [CP(CFG_REPLY),]
response [N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, Nr, [KEr,] TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
error case <-- N(error)
different Diffie- <-- N(INVALID_KE_PAYLOAD),
Hellman group [V+][N+]
wanted
C.5. CREATE_CHILD_SA Exchange for Rekeying the IKE SA
request --> SA, Ni, KEi,
[V+][N+]
response <-- SA, Nr, KEr,
[V+][N+]
C.6. INFORMATIONAL Exchange
request --> [N+,]
[D+,]
[CP(CFG_REQUEST)]
response <-- [N+,]
[D+,]
[CP(CFG_REPLY)]