Re: IPSec SA DELETE in "dangling" implementation

[Tero Kivinen <kivinen@ssh.fi>]

Paul Koning writes:
> I don't think that works in general.  What would you ping?  The
> security gateway?

The host I want to check, i.e. normally the gateway. 

> But the security policy for the SA may not have that address as an
> allowed (inner) address.

If I enable that kind of keep-alive, then it must be allowed, i.e. I
must make sure that the policy allows me to send packets to gw if I
want to use ping based keep-alive mechanism.

I think adding one policy rule is much easier, than making special IKE
notifications or something like that...
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Slava Kavsan <bkavsan@ire-ma.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: RE: Heartbeats (was RE: keepalives)
• Next by Date: Re: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread