First Child SA

The IKEv2 protocol was designed so that the first Child SA is activated during processing of the IKE_AUTH request and response. For many configurations, this means that the IKE SA and Child SA are both activated by only four messages.

The IKE_AUTH request contains the initiator's list of SA proposals, and the traffic selectors that describe the traffic to be protected by the Child SA. However, the IKE_AUTH request does NOT contain keying information or a nonce that is specific to the Child SA. The nonces and keying information from the IKE_SA_INIT exchange are used in computing the keys for the first Child SA. See Figure 1 for an illustration of the IKE_AUTH exchange.

Processing of the SA proposals and the traffic selectors during the IKE_AUTH exchange is the same as in CREATE_CHILD_SA processing, described in Additional Child SAs.

Parent topic: Child SA activation