[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Don't remove TS from IKEv2
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
>
> [skip]
>
> > Another problem is we cannot change inbound SPD without totally
> >shuting down tunnel. If there are 500 remote users out
> there and admin
> >wants to change inbound policy (eg. remove one server from
> spd), he needs to
> >change all users' SPD before he can change tunnel setting.
>
> Where in 2401 do you find the basis for this requirement, as opposed
> to an implementation choice in a specific product?
>
if the inbound policy of a tunnel is to allow all user to access 10.0.0.0/16
and admin want to change it to 10.0.0.0/24, he cannot just change the SPD of
the gateway because IKE will check SPD through TS payload and fails. Tunnel
will be down until all users' SPD get updated.
Michael