[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
interoperability issue with 'lifekbytes'
Hi,
We are frequently encountering interoperability = problems
with 'lifekbytes' configuration. Different vendors = accept/implement
different ways. Having consistent method mentioned in the
= standards will help eliminating/reducing the mis-interpretation.
Any = feedback on following interoperability issue from WG
is appreciated.
Security Gateway1--------------------Security = Gateway2
Admin at SG1 configured the IPSEC security policy
= indicating that 'lifekbytes' is not expected.
SG2 sends QM SA = payload with lifekbytes attribute with some
value. Should SG1 accept = the SA payload OR should it deny
the SA payload.
We feel that, since local admin made a choice that lifekbytes
is not required/expected, it should deny the SA negotiation.
What is the right thing to do? Also, we feel that = by having
consistent configuration on both ends will eliminate = the
confusion.
Related question:
What happens when SG1 starts the = quick mode?
Should SG2 deny the negotiation as it expected = lifekbytes
attribute, but there is no 'lifekbytes' attribute coming from = SG1?
We feel that, for both cases to work, it is better to = have
same configuration on both ends so that it works consistently
= and give choice to the administrators.
Thanks in advance,
Arun