[Vpn-help] maintain persistent security associations
Matthew Grooms
mgrooms at shrew.net
Tue Jun 3 21:44:51 CDT 2008
Dietmar Papperitz wrote:
> Hallo,
>
> what does this above policy mean? Should it be anabled?
>
Dietmar,
Ahh. The maintain persistent security associations option modifies the
way IPsec SAs are negotiated with the peer. When unchecked, the client
only negotiates security associations when it needs to process a packet
that matches a security policy. When checked, the client will negotiate
an SA for each policy configured immediately after it connects. It then
attempts to immediately renegotiate replacement security associations as
they expire. In other words, maintain persistent security associations
even if they are not being used to process packets. The default behavior
is to negotiate IPsec SAs on demand which is the standard mode of
operation for PF_KEY driven implementations.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list