Re: IKE and IPSec SA Lifetimes.

["ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>]

Alexandre,

It is advisable to enable DPD on both the peers. DPD doesn't cause any
negative effect if its enabled.

As I said earlier, please compare the lifetime on those 5 peers with others.

Thanks,
Aditya Govind Mukadam

On Wed, Aug 13, 2008 at 9:51 PM, Alexandre Verriere
<alexandre.verriere () gmail com> wrote:
> Thanks for your replies, looking at the different vpn setups I found some mistake such as NAT-T enabled
> On some peers but not on the other. Also I suspect a that the 'nailed up' function which is supposed to trigger a new 
> SA from the remote peers doesn't work correctly if DPD is not activated.
>
> Vpns today worked great although 5 of them at the end of the IKE SA were down approx 3 minutes before a new SA was 
> re-negotiated.
>
> Also is the DPD to be enable only on the triggering peer, the one with the nailed up option?
>
> Thanks for your replies.
>
> Alexandre Verriere.
>
> > Alexandre,
> >
> > You are right in your understanding , IKE Phase -1 (ISAKMP) life time
> > should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1
> > day) is a common default and is normal value for Phase 1.
> >
> > Many vendor devices have their own default Phase 1 & 2 lifetimes.For
> > example, PIX/ASA have different default phase 2 lifetime than Cisco
> > Routers.These values can be changed.
> >
> > Possible issues/suggestions:
> > 1) There can be ' SA Life time mismatch ' between the two peers( It
> > can be debated that if both devices donot have same lifetime , the
> > tunnel won't come up. However, my experience suggests that many times
> > tunnels do come up for strange reasons ). So,please confirm both the
> > phase 1 & 2 life times match with the peers.This has to be
> > standardized with your 50 sites !
> > 2) Configure keep alive between the two devices. This will make sure
> > that the tunnel is up in case the peers are timing out unexpectedly.
> >
> > Hope this helps.Let me know if any questions.
> >
> > Thanks,
> > Aditya Govind Mukadam
> >
> >
> > On Tue, Aug 12, 2008 at 2:34 PM, Alexandre Verriere
> > <alexandre.verriere () gmail com> wrote:
> > > HI all !
> > >
> > > We are working with VPNs between Zyxel routers and we have a strange issue.
> > >
> > > VPN dies and there are IKE retransmit messages send until limit is reached.
> > > BTW I'm not the person who
> > > Configure the routers and I noticed that IKE ans IPsec SA are set with the
> > > same time value as 86400.
> > >
> > > My question is: Usualy IKE SA lifetime are greater than IPSec SA lifetimes,
> > > and are theses settings responsible of the troubles we have?
> > >
> > > Since we are in production environnement, I ask this question cause we have
> > > 50+ VPNS and I'm struggling to find where's the catch.
> > >
> > > If anyone can help…
> > >
> > > Thanks in advance.
> > >
> > > Alexandre Verriere.
>
> ________________________________________
> Get more from your digital life. Find out how.