On Tue, Feb 21, 2006 at 11:39:05AM +0100, Patrick McHardy wrote: > > The idle time expiration of policies is used for DPD, right? I wonder > why the SAs aren't used for this (also with idle time expiration), > unlike the policy they are directly related to a peer.
For IKE IPsec usage there is usually a bijection between the SAs and the policies (except when rekeying). So it should be fine to use the policies for idle expiration. In fact I even have a patch for *swan that does this which I need to dig up and resubmit. Actually neither policies nor SAs are a perfect fit for DPD because for each peer there can always be multiple SAs/policies to track. So you only want to probe when all of them go idle. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
