Initial Contact Message processing

[vamsi <vamsi@xxxxxxxxxxxxx>]

Hi,
   We found one problem during inter operability testing and I thought
   I will inform to the list for feedback.

   It seems that some implementations, while processing IC message,
   delete all IPSEC and IKE SAs that correspond to source IP address of
   the IC message.

   This works well, in most of the scenarios, but fails to work when there
   are more than one Security Gateway or Clients behind a NAT gateway.
   For instance, take this example:

   Security Client 1
                           ----------NAT 
Gateway-------Internet--------SG-----LAN
   Security Client 2

   At one time, both clients have tunnels established with SG (acting as 
remote
   access server and only Clients initiate phase1 exchange)
   and  SG will see both the tunnels from NAT Gateway IP address.

   If Client 1 gets restarted, it sends IC message to the SG.
   SG, upon receipt, deletes tunnels established by Client 1 and also
   it deletes the tunnels, that are created by Client 2.

   DOI (RFC2407) states that, upon receipt of IC message, the implementations
   might delete tunnels associated with the sending system.

    It is observed that, identification of 'sending system' is being done 
based on source IP
    address of the IC message in some implementations. I feel that, it 
should be based
    on 'Phase1 ID' (FQDN, USER FQDN, USER DN etc..) and/or with source IP 
address.

    Some clarification on IC message processing in DOI  document, might be 
helpful.

Thanks
Vamsi