[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
Tero> Paul Koning writes:
>> I don't think that works in general. What would you ping? The
>> security gateway?
Tero> The host I want to check, i.e. normally the gateway.
>> But the security policy for the SA may not have that address as an
>> allowed (inner) address.
Tero> If I enable that kind of keep-alive, then it must be allowed,
Tero> i.e. I must make sure that the policy allows me to send packets
Tero> to gw if I want to use ping based keep-alive mechanism.
Yes, that would be the consequence. But that's not a good thing at
all. There are clear security benefits to having a tunnel whose users
have no ability to talk to the security gateway itself. Disallowing
such policies for the sake of a keepalive mechanism doesn't appeal to
me at all.
paul
Follow-Ups:
References: