Appendix C. Exchanges and Payloads (交换与负载)
Appendix C. Exchanges and Payloads (交换与负载)
本附录包含 IKEv2 交换的简短摘要, 以及各消息中可出现哪些负载. 本附录纯属资料性; 若与本文正文不一致, 以正文为准.
Vendor ID (厂商标识, V) 负载可置于任一条消息的任意位置. 此处的序列展示的是它们最合理的位置.
C.1. IKE_SA_INIT 交换
请求 --> [N(COOKIE),]
SA, KE, Ni,
[N(NAT_DETECTION_SOURCE_IP)+,
N(NAT_DETECTION_DESTINATION_IP),]
[V+][N+]
正常响应 <-- SA, KE, Nr,
(无 cookie) [N(NAT_DETECTION_SOURCE_IP),
N(NAT_DETECTION_DESTINATION_IP),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[V+][N+]
cookie 响应 <-- N(COOKIE),
[V+][N+]
需要改用另一 <-- N(INVALID_KE_PAYLOAD),
Diffie-Hellman 群 [V+][N+]
C.2. 不含 EAP 的 IKE_AUTH 交换
请求 --> IDi, [CERT+,]
[N(INITIAL_CONTACT),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[IDr,]
AUTH,
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[V+][N+]
响应 <-- IDr, [CERT+,]
AUTH,
[CP(CFG_REPLY),]
[N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
创建 Child SA <-- IDr, [CERT+,]
出错 AUTH,
N(error),
[V+][N+]
C.3. 含 EAP 的 IKE_AUTH 交换
首次请求 --> IDi,
[N(INITIAL_CONTACT),]
[[N(HTTP_CERT_LOOKUP_SUPPORTED),] CERTREQ+,]
[IDr,]
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[V+][N+]
首次响应 <-- IDr, [CERT+,] AUTH,
EAP,
[V+][N+]
/ --> EAP
重复 1..N 次 |
\ <-- EAP
最后请求 --> AUTH
最后响应 <-- AUTH,
[CP(CFG_REPLY),]
[N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
C.4. 用于创建或重密钥 Child SA 的 CREATE_CHILD_SA 交换
请求 --> [N(REKEY_SA),]
[CP(CFG_REQUEST),]
[N(IPCOMP_SUPPORTED)+,]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, Ni, [KEi,] TSi, TSr,
[V+][N+]
正常 <-- [CP(CFG_REPLY),]
响应 [N(IPCOMP_SUPPORTED),]
[N(USE_TRANSPORT_MODE),]
[N(ESP_TFC_PADDING_NOT_SUPPORTED),]
[N(NON_FIRST_FRAGMENTS_ALSO),]
SA, Nr, [KEr,] TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE),]
[V+][N+]
错误情况 <-- N(error)
需要改用另一 <-- N(INVALID_KE_PAYLOAD),
Diffie-Hellman 群 [V+][N+]
C.5. 用于重密钥 IKE SA 的 CREATE_CHILD_SA 交换
请求 --> SA, Ni, KEi,
[V+][N+]
响应 <-- SA, Nr, KEr,
[V+][N+]
C.6. INFORMATIONAL 交换
请求 --> [N+,]
[D+,]
[CP(CFG_REQUEST)]
响应 <-- [N+,]
[D+,]
[CP(CFG_REPLY)]