[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKE and tunneling

To: "Elliott T. Dorham" <etdorham@nps.navy.mil>
Subject: RE: IKE and tunneling
From: Henry Spencer <henry@spsystems.net>
Date: Sun, 12 Dec 1999 14:01:40 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <000101bf445a$8cc920c0$3bcbfea9@oemcomputer>
Sender: owner-ipsec@lists.tislabs.com

On Sat, 11 Dec 1999, Elliott T. Dorham wrote:
> I have a second question: If an IPSec session goes down because of a
> connection being lost or for some other reason, once communications are
> re-established between the two hosts through either the same or different
> pathways, does a new SA have to be negotiated?

It depends on exactly what happened.  Simply losing connectivity between
the two hosts, temporarily, won't break the IPSEC connection, provided
neither end gets impatient and unilaterally declares the connection dead. 
Since SAs are usually rekeyed (i.e., replaced by new ones) regularly, that
will happen *eventually*, but not right away.

The precise path by which packets are flowing is irrelevant; the IPSEC
implementations neither know nor care about that. 

The main reason why an IPSEC connection would be lost and have to be
rebuilt is if one side crashes and reboots... and even that is not
absolutely guaranteed.  It's technically possible to preserve enough
information across a crash to restore network connections, although few
systems actually do that. 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

RE: IKE and tunneling

From: "Elliott T. Dorham" <etdorham@nps.navy.mil>

Prev by Date: Re: IKE and tunneling
Next by Date: Re: A fix for main mode with preshared keys
Prev by thread: RE: IKE and tunneling
Next by thread: Re: IKE and tunneling
Index(es):
- Main
- Thread