[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
> > The inside peer can rekey at any time - it will just cause a new NAT
mapping
> > to be created. In the tunnel case this shouldn't cause any problems.
>
> Possibly - but if you do that, you have to do (computationally
considerably
> more expensive) Phase I every time too, because the IKE mapping _may_ have
> reset then also (_even_ if your Phase I lifetime hasn't expired.. I think
> that running IKE over NATs is bad idea to start with :>).
I don't understand why you would have to do a Phase 1 every time.
> It's debatable if 5 minutes is the right way to do it, but _some_ way of
> making sure that (even potentially somewhat delayed) Phase II is 'enough'
> to handle the rekey cases.
The retransmission timer used for IKE NAT SAs should never be
increased above M (20 seconds). Perhaps allowing for a larger
retransmission counter.
-dave