I think, that it could be solved, if we define new notification,
that could be optionally sent from gateway to client, informing him
that gateway is going to delete IKE SA in some time
interval (indicating that interval in the notification).
If cafr is supported by client and he is willing to use it,
client will start re-authentication before the end of
the interval. If not - gateway will just delete IKE SA
after the interval has ended.
Good idea! :-)
http://tools.ietf.org/html/rfc4478
Sorry, I completely forgot about this RFC.
Happened funny :-)
Think I should mention that in the draft?
I think yes.
BTW, it is only experimental, while your draft's
intended status is standards track.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
