> To exemplify, the other end of the tunnel is represented by an ISA 2006. > After about 5-6 minutes, time within the tunnel was idle(no traffic > exchange between the two sides), ISA will drop the IPsec SA informing > its tunnel partener about this. The IKE SA is not dropped. > If the other end of the tunnel was, say another ISA, and no traffic was > needed to pass through the tunnel, then no IKE QM negotiations will > follow, so no IPsec SA. Once traffic destined to the remote site reaches > ISA, IKE QM are started and IPsec SAs are established. > I suppose the logic behind this is not to waste resources. > However, Vyatta, after receiving the ISAKMP Informational packet from > ISA to delete the SA, it does so and immediately starts the IKE QM > negotiations to establish a new IPsec SA even when is not traffic ready > to be sent through the tunnel.
I think the reason for the immediate re-establishment is the "auto=start" value in /etc/ipsec.conf. If you want to experiment you could try logging in as root and edit /etc/ipsec.conf and change "auto=start" to "auto=add". Then go back into xorpsh and do a "clear vpn ipsec-process" to reread the conf file. If that works then I can send you a patch to the perl script that generates that conf file. stig > So we end up consuming resources instead of saving them. > ISA lets me modify its idle timer through a reg hack, but it's a global > modification(not per site). > As said before this is not really an issue or a problem. I do not have > something against maintaining the IPsec SA up throughout its lifetime. > By the way, ISA does not support DPD. > Thanks, > Adrian > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
