[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Timeout problems
There is no spi / protocol to be used in a delete. You can't send a delete
for the Config-Mode exchange itself. My impression was the Joern was
sending a delete for the ISAKMP SA if Ike-Cfg was timing out.
What I was trying to get accross was that if an Ike-Cfg transaction is
taking a long time (perhaps your gw is going to a DHCP server), then you
should increase your timeouts accordingly.
> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@ssh.fi]
> Sent: Thursday, July 15, 1999 11:21 AM
> To: Stephane Beaulieu
> Cc: 'Joern Sierwald'; ipsec@lists.tislabs.com
> Subject: RE: Timeout problems
>
>
> Stephane Beaulieu writes:
> > The delete payload should work; assuming you really want to
> do this. If you
> > tell the other guy that you've deleted your phase1 SA, then
> he should stop
> > sending you ISAKMP messages for that SA. However, I
> believe that your best
> > option is to increase you retry counts / times.
>
> What is the spi and protocol of the configuration mode exchange? To
> fill in delete payload you need spi and protocol, and configuration
> mode does not have them. I think it is overkill to kill the whole
> ISAKMP SA in that case.
>