[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec SA DELETE in "dangling" implementation
Paul Koning writes:
> Tero> If I enable that kind of keep-alive, then it must be allowed,
> Tero> i.e. I must make sure that the policy allows me to send packets
> Tero> to gw if I want to use ping based keep-alive mechanism.
> Yes, that would be the consequence. But that's not a good thing at
> all. There are clear security benefits to having a tunnel whose users
> have no ability to talk to the security gateway itself.
Such as?
Of course you can define the policy to only allow ICMP echo packets,
nothing else.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: