(usagi-users 03154) Issue on Phase 2 handler

[Park Lee <parklee_sel@xxxxxxxxx>]

Hi,

   When we've unpacked the ipsec-tools-0.2.5.tar.gz, In ipsec-tools-0.2.5/src/racoon/handler.h, we can see something like the following:

 

/* Phase 2 handler */
/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
/*
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   acquire msg get         1st valid msg received
 *  3   getspi request sent     getspi request sent
 *  4   getspi done             getspi done
 *  5   1st msg sent            1st msg sent
 *  6   1st valid msg received  2nd valid msg received
 *  7   (commit bit)            (commit bit)
 *  8   SAs added               SAs added
 *  9   SAs established         SAs established
 * 10   SAs expired             SAs expired
 */

 

  Then,
  1), Since the initiator only send one message (step 5), why should the responder receive two messages (step 2 and step 6)?
  2), We know that before initiator begins its negotiation with responder, it will send an SADB_GETSPI message from a user process to the kernel for an SPI. When it get the SPI, it can begins its negotiation.
  But here, Why should the responder also send an SADB_GETSPI (step 3 and step 4)? Is it still send the message to its kernel? Why don't it use the SPI from the initiator? If the responder get its own SPI, then there will be two different SPI between the initiator and responder, which one will they finally use?

 

  Thank you.

--
Best Regards,
Park Lee <parklee_sel@xxxxxxxxx>

 

---

Do you Yahoo!?
 
Meet the all-new My Yahoo! ? Try it today!