Re: Synchronisation in IKE

["Stephane Beaulieu" <stephane@cisco.com>]

>                   message periodically (not in rfc).
>  Problem 4 : In this case B should send INVALID_COOKIE(rfc 2408) notify to
A

This is correct behavior, though it doesn't really solve the problem.  A
will log the arrival of the INVALID-COOKIE which might alert some
administrator to look into the problem.  However, A will not self-correct
the out of sync SAs since the INVALID-COOKIE notify is un-authenticated, and
therefore untrusted.


> .
>
>
>
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
>
>
>
> I think this is a very important issue and is giving me plenty of
> headaches.
> Is there any documents that talks about how to resynchronise IKE
> negotiations.
> Any advice on the subject would be greatly appreciated.
> Take as an Example the next case:
>
> 1- A (Initiator) negotiates with B (Responder)
> 2- B reboots and is unable to send any delete notification.
> 3- A can't talk to B anymore (A has IPSEC SAs, but no B) I have no
> solution for this. IDEAS?
> 4- IPSEC SAs in A expire. A Initiates a Quick mode negotiation but B
> doesn't have ISAKMP SAs either
>    That could be solved letting A detect that B can't negotiate and
> initiating a new Phase I negotiation.
>    Is there any problem with this solution? If yes is there an
> alternative?
>    What do I do with the old ISAKMP SA? Keep or destroy it? I'd
> destroy it, but not sure if can give any problem.
>
> I'd really appreciate any response.
> Thanks in advance.
>
> Toni
>

---

References:

• RE: Synchronisation in IKE
• From: "sridharj" <sridharj@future.futsoft.com>

---

• Prev by Date: Re: Synchronisation in IKE
• Next by Date: Re: HI
• Next by thread: Out of Sync Security Policies
• Index(es):
  • Main
  • Thread