|Main Archive Page > Month Archives > ipsec archives|
Yoav Nir writes:
> This assumes that generating a new IKE SA is a painless procedure. For
> clients, this could mean keying in a passcode from a token, or
> entering a password or pushing some button on a phone.
Which will cause the client to fix the problem sooner than later, which is even better.
> Even if generating an IKE SA is painless, it's also bad if you need
> multiple SAs. Only the first SA (the one that happened to trigger IKE)
> will succeed. All the others will fail (assuming all require PFS). So
> we have a badly mismatched configuration that occasionally works.
If the policies are different, any of the later SAs can fail too, regardless of PFS. I do not really see that big difference in PFS. In normal case the client should not really care what is configured for the PFS group, it should be configured to: suggest without PFS, allow also any group supported. Then the server can request what kind of policy it wants. -- email@example.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec