[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats draft (fwd)
An invalid SPI error can be the trigger point (along with other carefully
selected conditions). The peer that just came up will know the
tunnel/transport end point of the peer who is trying to send traffic, and
it can initiate a Main Mode SA to that endpoint. This peer should also
include the initial contact, so that the SADs can be sync'ed back again.
If there is some traffic originating on the side of the peer that went
down, then it has to initiate an SA negotiation anyway. An initial contact
will sync the SADs again.
-chinna
On Tue, 28 Mar 2000, Henry Spencer wrote:
> On Mon, 27 Mar 2000, chinna pellacuru wrote:
> > When one of the peer goes down, and comes back up, as I said before, the peer
> > that went down can ("intellegently") initiate fresh SAs with the Initial
> > Contact...
>
> This assumes that the peer which went down is aware, when it comes back
> up, that it *should* initiate fresh SAs. That is not necessarily true.
> If it were, life would indeed be much simpler.
>
> In a world of fixed, static, pre-arranged VPN connections, each end can be
> told to re-initiate when it comes back up. Unfortunately, many people
> wish to use IPSec in much more dynamic situations, where only one end may
> be aware of the immediate desire to send packets. How does a rebooted
> server determine which of its potential clients it should re-initiate
> with? It may not even know their IP addresses!
>
> Henry Spencer
> henry@spsystems.net
>
>
>
chinna narasimha reddy pellacuru
s/w engineer
Follow-Ups:
References: