3.8.5.1 GSS-API Response Received

To understand how the initiator can get to GSS-API Request Sent state, see section 3.8.7.1.

Figure 27: GSS-API Response packet

If the responder is not in GSS-API Request Sent state when it receives the above packet, it MUST tear down the corresponding main if it can match the packet to an existing main mode, or silently discard the packet otherwise.

On receiving the above packet in GSS-API Request Sent state, if the initiator is successfully done (as defined in [GSS] and section 2.2.3.1), it MUST transition to GSS_API Done state. Otherwise, the packet MUST be passed to the GSS-API layer for processing. If an error results from this processing, the responder MUST silently discard the packet. Otherwise, the initiator MUST send another GSS-API request formatted as specified below, and return to GSS-API Request Sent state.

In the latter case, the initiator MUST send a message #3 constructed as follows:

• HDR: The ISAKMP header MUST have identical format to the first IKE phase 2 initiator packet (as specified in [RFC2409] section 5.5), except that the exchange type MUST be 243 (MM exchange type). The Encrypted flag SHOULD NOT be set.<19>

• The remaining payloads MUST follow a non-encrypted Crypto payload.

• GSS-API: MUST be constructed as specified in [GSS] and section 2.2.3.1.