________________________________ You might consider a creative solution with Dead Peer Detection. Per ipsec.conf(4), you enable Dead Peer Detection by using an ike dynamic statement.
Heya On Thu, Apr 14, 2011 at 3:09 AM, Scott McEachern <sc...@blackstaff.ca>wrote: > On 04/13/11 09:38, Randal L. Schwartz wrote: > >> "Scott" == Scott McEachern<sc...@blackstaff.ca> writes: >>>>>>> >>>>>> Scott> It's called "port knocking". Google is your friend here. >> >> And if you recommend or use port knocking, you're an amateur at crypto. >> If adding 8 sniffable bits to your effective key length makes you >> significantly more secure, you've lost the game already. >> >> > I'm not advocating it, but it is what he's asking about. > > I should have added "This is not a good idea", but I was hoping he'd figure > that out by reading about it. > > Nemir, you might want to go back and find out exactly what problem the bank > is trying to solve with their idea. > > Actually from what I read in his email, it isn't Port knocking he is after. What the Bank likely wants is to not have any n+ client(s) out of however many maintaining a permanent VPN through their infrastructure, thereby leading to a potential DoS for their other clients. ( based on several appliances having hardware / licensing limitations on how many concurrently active VPNs are running at once ) Thus what the Bank would like is for the VPN connection to be torn down after the relevant data is transmitted. And no, I don't see a "disconnect" option after a brief read of the IPSEC man pages either. Shane
