Interpreting IKEv1 daemon phase 1 SA states

The two IKE modes for negotiating phase 1 SAs (main and aggressive) are not themselves negotiable SA attributes. The initiator determines the mode based on the initiator's local policy. The responder can accept or reject the negotiation mode that is selected by the initiator.

Figure 1 shows how to interpret phase 1 SA states in Main mode.
Figure 1. Interpreting phase 1 SA states in Main mode
This flowchart is described in the text that follows the figure.
The following state descriptions apply to the Communications Server IKE daemon when acting as the initiator or responder of a main mode phase 1 SA negotiation (Figure 1). These states are shown in the state field of the ipsec -k display command output. See Main mode for a description of the contents of the messages. The numbers in the following list correspond to the numbered items in Figure 1.
  1. The INIT state on the initiator side indicates that message 1 has not yet been sent.
  2. The INIT state on the responder side indicates that the responder is processing message 1, which was received from the initiator.
  3. This WAIT SA state indicates that the initiator has sent message 1 and is waiting for message 2 from the responder.
  4. The WAIT KE state indicates that the responder has processed message 1 and is waiting for message 3 from the initiator.
  5. The IN KE state on the initiator side indicates that the initiator has sent message 3.
  6. The IN KE state on the responder side indicates that the responder has received message 3.
  7. The DONE state on the initiator side indicates that the initiator has received message 6.
  8. The DONE state on the responder side indicates that the responder has sent message 6.
Figure 2 shows how to interpret phase 1 SA states in aggressive mode.
Figure 2. Interpreting phase 1 SA states in Aggressive mode
This flowchart is described in the text that follows the figure.
The following state descriptions apply to the Communications Server IKE daemon when acting as the initiator or responder of an Aggressive mode phase 1 SA negotiation (Figure 2). These states are shown in the state field of the ipsec -k display command output. See Aggressive mode for a description of the contents of the messages. The numbers in the following list correspond to the numbered items inn Figure 2.
  1. The INIT state on the initiator side indicates that message 1 has not yet been sent.
  2. The INIT state on the responder side indicates that the responder is processing message 1 received from the initiator.
  3. The WAIT SA state on the initiator side indicates that the initiator has sent message 1.
  4. The IN KE state on the initiator side indicates that the initiator has processed message 1.
  5. The IN KE state on the responder side indicates that the responder has received message 2.
  6. The DONE state on the initiator side indicates that the initiator has sent message 3.
  7. The DONE state on the responder side indicates that the responder has received message 3.
Parent topic: Phase 1