1

if a customer wants to monitor an IPSec-based site-to-site VPN and basically no incoming traffic is needed, would you recommend:

a) setting up a permanent tunnel that can be monitored all the time and blocking all incoming traffic

b) setting up a non-permanent tunnel (e.g. traffic to IPs of the encryption domain is needed to bring the tunnel up) and allow incoming ICMP-traffic from one host to one host in order to allow the customer to bring the tunnel up?

What are the advantages/disadvantages of this from a security perspective?

Best Regards

gumlozol
  • 21
  • 2
  • Sorry it seems I cannot just comment but I would say that the question needs to be elaborated a bit more. I would say that you can enable keepalives for the tunnel to be up without requiring traffic in traffic selectors to flow and block the incoming traffic. – Alex Aug 07 '20 at 13:22
  • Thanks for your answer. So in other words, you would recommend to make the tunnel staying up by using keepalives instead of allowing incoming icmp requests which would bring the tunnel up just before the monitoring request, right? – gumlozol Aug 07 '20 at 13:28

0 Answers0