RE: Synchronisation in IKE

["sridharj" <sridharj@future.futsoft.com>]

Hi,
 Problem 1,2,3  : this problem can be solved if IKE keeps a HELLO or keep
alive
                  message periodically (not in rfc).
 Problem 4 : In this case B should send INVALID_COOKIE(rfc 2408) notify to A
.



-----Original Message-----
From: owner-ipsec@lists.tislabs.com



	I think this is a very important issue and is giving me plenty of
headaches.
Is there any documents that talks about how to resynchronise IKE
negotiations.
Any advice on the subject would be greatly appreciated.
	Take as an Example the next case:

	1- A (Initiator) negotiates with B (Responder)
	2- B reboots and is unable to send any delete notification.
	3- A can't talk to B anymore (A has IPSEC SAs, but no B) I have no
solution for this. IDEAS?
	4- IPSEC SAs in A expire. A Initiates a Quick mode negotiation but B
doesn't have ISAKMP SAs either
	   That could be solved letting A detect that B can't negotiate and
initiating a new Phase I negotiation.
	   Is there any problem with this solution? If yes is there an
alternative?
	   What do I do with the old ISAKMP SA? Keep or destroy it? I'd
destroy it, but not sure if can give any problem.

I'd really appreciate any response.
Thanks in advance.

Toni

---

Follow-Ups:

• Re: Synchronisation in IKE
• From: Mike Carney <carney@securecomputing.com>
• Re: Synchronisation in IKE
• From: "Stephane Beaulieu" <stephane@cisco.com>

References:

• Synchronisation in IKE
• From: antonio.barrera@nokia.com

---

• Prev by Date: Multicast Security (MSEC) BOF details
• Next by Date: Out of Sync Security Policies
• Next by thread: Out of Sync Security Policies
• Index(es):
  • Main
  • Thread