ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CHILD_SA and PFS

Re: [IPsec] CHILD_SA and PFS

From: Tero Kivinen <kivinen_at_nospam>
Date: Tue Nov 20 2007 - 13:20:46 GMT
To: Yoav Nir <ynir@checkpoint.com>


Yoav Nir writes:
> I can think of two ways to fix this:

I think the easiest is to fix the configuration. Note that this does not cause any big problem even if nothing is done. The IPsec SA rekey will fail, which means the IPsec SA will expire, and when creating new IPsec SA fails too, the initiator will tear down the IKE SA, and recreate it, which will again generate new IKE SA and IPsec SA and traffic works again. I.e every few hours there is few seconds when traffic does not work because of configuration error. If the user wants to get rid of it he should fix the confuration. -- kivinen@safenet-inc.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec