|
Hi Julian,
Keep the rekey interval below the ISAKMP timeout in LVS and be
happy, the connections can last months :))) One ISAKMP entry per
CIP[:CPORT], no ESP/AH entries.
Yes, after reading your posts and the document again, I see it now.
I don't believe a client will create many ESP connections
to one server, this is not a web :))) Note that there must be a save
No but maybe many connection to different servers on the same physical
segment.
mechanism the server to notify the client about many different
subnets guarded from this gateway. May be only if ISAKMP is
extended to create a list of subnets for negotiation. Currently,
it is only one subnet (we are talking about the proposed
opportunistic encryption). But the hidden issue is how much traffic
creates each SA, as we discussed it already. It can be handled
safely by using dynamic weights for RSs. And with IPSec termination
the RSs will do mostly decryption, with small traffic :)
Good.
Cheers,
Roberto Nibali, ratz
| 