Srivatsan Raghavan writes:
> How does a Security Gateway specify the validity or duration of an
> IP Address via CP ? The INTERNAL_ADDRESS_EXPIRY seems deprecated ?
It does not. The IP address is valid as long as the IKEv2 SA is valid:
RFC5996 section 3.15.1:
----------------------------------------------------------------------
o INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS - An address on the
...
The requested
address is valid as long as this IKE SA (or its rekeyed
successors) requesting the address is valid.
----------------------------------------------------------------------
> So if the Security Gateway has a notion of lease time, it just has
> to go and delete the tunnel when the address expires and the client
> sets up the tunnel again and requests for an address again?
It can do that, but it might be better to just keep the address
allocation as long as the IKE SA is up and running. If it got that
address from someone else (like from DHCP server or similar), it can
do the automatic renewal of the address when it is about to expire,
and if that fails, only then delete the IKEv2 SA.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
