[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Heartbeats (was RE: keepalives)
> But there are other reasons to do heartbeats. For example, if you
> want to verify that the security gateway still knows about your SAs
> (so you can negotiate new ones if the old ones have vanished for some
> reason). As far as I can see, this "black hole detection" is a
> valuable, perhaps the most valuable, benefit of heartbeat.
Paul,
Is this really necessary though? Presumably if you sent traffic on an IPsec
SA with a SPI that the gateway doesn't recognize, the gw will send you an
authenticated INVALID_SPI notify, which should tell the Client that the
IPsec SA is gone. Of course this requires the presence of a phase 1 SA.
However, this is why the INVALID_SPI notify is there isn't it?
Stephane.
Follow-Ups: