Shibu writes: > With SDWAN use cases (wherein paths could be orchestrated based on proto, > port, QoS, App ID etc), would it be a preciseĀ assumption to make? How would > we handle these cases when the paths are build for ESP and IKE differently?
If the ESP and IKEv2 packates do not follow the same path, then it is possible that the ESP path is broken, and when we run the test over IKEv2 path to see whether connection is broken or not, we do get result that it works, even when ESP does not. Because of this I would say that every SDWAN implementation should try to make sure that all ESP and IKEv2 packets do use the same path as otherwise there might be black holes, or repeated tearing down SAs and recreating them (i.e., if ESP works but IKEv2 does not). In case someone still makes implementation which does that, then IKEv2 can use UDP encapsulation and then both IKEv2 and ESP packets do follow same path. I.e., try to avoid those, or if you make them, make sure they have same PMTU, and if you cannot ensure that, enable UDP encapsulation in IPsec... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
