Herbert Xu wrote: > On Tue, Feb 21, 2006 at 11:39:05AM +0100, Patrick McHardy wrote: > >>The idle time expiration of policies is used for DPD, right? I wonder >>why the SAs aren't used for this (also with idle time expiration), >>unlike the policy they are directly related to a peer. > > > For IKE IPsec usage there is usually a bijection between the SAs and the > policies (except when rekeying). So it should be fine to use the policies > for idle expiration. In fact I even have a patch for *swan that does this > which I need to dig up and resubmit.
With tunnel mode, yes, but with transport mode you can have one policy for many peers. In that case you will have false positives as long as a single peer is alive. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
