Security Basics mailing list archives
RE: IKE and IPSec SA Lifetimes.
From: "Alexandre Verriere" <alexandre.verriere () gmail com>
Date: Mon, 18 Aug 2008 10:23:08 +0200
Hi, thks for answering. We have returned to a normal behavior of the VPNs although I've not reconfiguring all the links. I's a little bit strange that only after reconfiguring some of them there are no more errors with the others. BTW, as indicated by Aditya I enabled DPD on the peers but there are again some discontinuity in some vpn connections, tunnel is down Approx 1 minute while renegotiating the IKE SA having DPD enabled. Thks you all. Alexandre Verriere. -----Message d'origine----- De : Vibhore [mailto:vibhorejn () gmail com] Envoyé : lundi 18 août 2008 05:45 À : ॐ aditya mukadam ॐ; Alexandre Verriere Cc : security-basics () securityfocus com Objet : Re: IKE and IPSec SA Lifetimes. Hi Aditya, Alexandre, Just to add to this discussion. IKE(v1) and IPSec life times are negotiated on most of the major gateways and clients and I have test IPSec clients with many gateways and haven't seen something like lifetime mismatch. In case of IKEv2, rekey works independent of the lifetime values specified on both the peers. NAT-T plays an important role because a machine internal to NAT-T disabled network can reach any machine outside but any external machine can reach only one of the internal machines if NAT-T is disabled. DPD is an important aspect of IPSec. Aditya is correct in stating that DPD doesn't have any major negative impact on connections and is used to check the heartbeat of the tunnel. Many gateways and clients allow configuring DPD timeout value and one can configure it as per need. If for some reason, any of the peer is not able to reply with DPD informational messages, other end tears down the tunnel. I hope this helps you. Have a nice day. ===><=== Vibhore Jain Test Engineer, SafeNet SoftRemote IPSec clients On Wed, Aug 13, 2008 at 9:11 AM, ॐ aditya mukadam ॐ <aditya.mukadam () gmail com> wrote:
Alexandre, You are right in your understanding , IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1. Many vendor devices have their own default Phase 1 & 2 lifetimes.For example, PIX/ASA have different default phase 2 lifetime than Cisco Routers.These values can be changed. Possible issues/suggestions: 1) There can be ' SA Life time mismatch ' between the two peers( It can be debated that if both devices donot have same lifetime , the tunnel won't come up. However, my experience suggests that many times tunnels do come up for strange reasons ). So,please confirm both the phase 1 & 2 life times match with the peers.This has to be standardized with your 50 sites ! 2) Configure keep alive between the two devices. This will make sure that the tunnel is up in case the peers are timing out unexpectedly. Hope this helps.Let me know if any questions. Thanks, Aditya Govind Mukadam On Tue, Aug 12, 2008 at 2:34 PM, Alexandre Verriere <alexandre.verriere () gmail com> wrote:HI all ! We are working with VPNs between Zyxel routers and we have a strange issue. VPN dies and there are IKE retransmit messages send until limit is reached. BTW I'm not the person who Configure the routers and I noticed that IKE ans IPsec SA are set with the same time value as 86400. My question is: Usualy IKE SA lifetime are greater than IPSec SA lifetimes, and are theses settings responsible of the troubles we have? Since we are in production environnement, I ask this question cause we have 50+ VPNS and I'm struggling to find where's the catch. If anyone can help… Thanks in advance. Alexandre Verriere.
Current thread:
- TR: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 12)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)
- Message not available
- RE: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 13)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)
- Message not available
- Re: IKE and IPSec SA Lifetimes. Vibhore (Aug 18)
- RE: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 18)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)