[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
interoperability issue with 'lifekbytes'
Hi,
Sorry, my previous message format was bad. I'm resending it with proper
format.
We are frequently encountering interoperability problems
with 'lifekbytes' configuration. Different vendors accept/implement
different ways. Having consistent method mentioned in the
standards will help eliminating/reducing the mis-interpretation.
Any feedback on following interoperability issue from WG
is appreciated.
Security Gateway1--------------------Security Gateway2
Admin at SG1 configured the IPSEC security policy
indicating that 'lifekbytes' is not expected.
SG2 sends QM SA payload with lifekbytes attribute with some
value. Should SG1 accept the SA payload OR should it deny
the SA payload.
We feel that, since local admin made a choice that lifekbytes
is not required/expected, it should deny the SA negotiation.
What is the right thing to do? Also, we feel that by having
consistent configuration on both ends will eliminate the
confusion.
Related question:
What happens when SG1 starts the quick mode?
Should SG2 deny the negotiation as it expected lifekbytes
attribute, but there is no 'lifekbytes' attribute coming from SG1?
We feel that, for both cases to work, it is better to have
same configuration on both ends so that it works consistently
and give choice to the administrators.
Thanks in advance,
Arun