[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Paul Koning writes:
> I don't think that works in general. What would you ping? The
> security gateway?
The host I want to check, i.e. normally the gateway.
> But the security policy for the SA may not have that address as an
> allowed (inner) address.
If I enable that kind of keep-alive, then it must be allowed, i.e. I
must make sure that the policy allows me to send packets to gw if I
want to use ping based keep-alive mechanism.
I think adding one policy rule is much easier, than making special IKE
notifications or something like that...
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups:
References: