Interpreting IKEv2 IKE SA states
Figure 1 shows how to interpret IKE SA states.
The following state descriptions apply to
the Communications Server IKE daemon when acting as the initiator
or responder of an IKEv2 phase 1 SA negotiation. These states are
shown in the state field of the ipsec -k display command
output. See Initial exchanges for a description
of the contents of the messages. The numbers in the following list
correspond to the numbered items in Figure 1.
- The INIT state on the initiator side indicates that the IKE_SA_INIT request has not yet been sent.
- The INIT state on the responder side indicates that the responder is processing the IKE_SA_INIT request, which was received from the initiator.
- This WAIT KE state indicates that the initiator has sent the IKE_SA_INIT request and is waiting for the IKE_SA_INIT response from the responder.
- The WAIT KE state indicates that the responder has processed the IKE_SA_INIT and is waiting for the IKE_AUTH request from the initiator.
- The WAIT AUTH state on the initiator side indicates that the initiator has sent the IKE_AUTH request
- The WAIT AUTH state on the responder side indicates that the responder has received the IKE_AUTH request
- The DONE state on the initiator side indicates that the initiator has received the IKE_AUTH response
- The DONE state on the responder side indicates that the responder has sent the IKE_AUTH response