Interpreting IKEv2 IKE SA states

Figure 1 shows how to interpret IKE SA states.

Figure 1. Interpreting IKEv2 IKE SA states
This flowchart is described in the text that follows the figure.
The following state descriptions apply to the Communications Server IKE daemon when acting as the initiator or responder of an IKEv2 phase 1 SA negotiation. These states are shown in the state field of the ipsec -k display command output. See Initial exchanges for a description of the contents of the messages. The numbers in the following list correspond to the numbered items in Figure 1.
  1. The INIT state on the initiator side indicates that the IKE_SA_INIT request has not yet been sent.
  2. The INIT state on the responder side indicates that the responder is processing the IKE_SA_INIT request, which was received from the initiator.
  3. This WAIT KE state indicates that the initiator has sent the IKE_SA_INIT request and is waiting for the IKE_SA_INIT response from the responder.
  4. The WAIT KE state indicates that the responder has processed the IKE_SA_INIT and is waiting for the IKE_AUTH request from the initiator.
  5. The WAIT AUTH state on the initiator side indicates that the initiator has sent the IKE_AUTH request
  6. The WAIT AUTH state on the responder side indicates that the responder has received the IKE_AUTH request
  7. The DONE state on the initiator side indicates that the initiator has received the IKE_AUTH response
  8. The DONE state on the responder side indicates that the responder has sent the IKE_AUTH response