Hi Michael > Let me suggest a situation where perhaps I would like to > bring up an IKE_SA and not a CHILD_SA: it might be for just > sending initial contact, and perhaps even a DELETE. > > I sometimes move quickly from being "outside" my IPsec > gateway/firewall (such as being on wireless), to being wired > behind the gateway, where I do not need IPsec. The DPD > doesn't kick off fast enough, and my traffic goes to where I > am no longer. It would be nice to bring up the IKE_SA (or... > haha, resume it), just so that I can send a delete and/or > initial_contact.
A far more common situation is when I'm "outside", not moving anywhere, and I want to connect. I haven't even opened my mail client yet, or launched the browser (because those thing hate it when the VPN client changes routing to addresses they are trying to reach). The reason I want to connect before everything else, is that connecting involves some effort (typing the PKCS#12 password, entering a username and password, copying the OTP from the cellphone to the computer...). I want to get this over with, but there's still no packet to derive selectors from. With IKEv1 we had the separate Main Mode and then Quick Mode. Now we can't do Main Mode without attempting Quick Mode. > Seems like to do this, once needs to include a > known-to-be-unacceptable CHILD_SA proposal. Actually it doesn't have to be acceptable, as the IKE_AUTH will succeed even if the piggy-backed CHILD_SA fails. Now I would never suggest that anyone use a traffic selectors type from the private range (241-255) which is almost guaranteed to fail... Yoav Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
