Re: IPSec SA DELETE in "dangling" implementation

[Tero Kivinen <kivinen@ssh.fi>]

Paul Koning writes:
>  Tero> If I enable that kind of keep-alive, then it must be allowed,
>  Tero> i.e. I must make sure that the policy allows me to send packets
>  Tero> to gw if I want to use ping based keep-alive mechanism.
> Yes, that would be the consequence.  But that's not a good thing at
> all.  There are clear security benefits to having a tunnel whose users 
> have no ability to talk to the security gateway itself.

Such as?

Of course you can define the policy to only allow ICMP echo packets,
nothing else. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Slava Kavsan <bkavsan@ire-ma.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: IPSec SA DELETE in "dangling" implementation
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: RE: Heartbeats (was RE: keepalives)
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread