Fwd: LAN-LAN VPN using PIXes and a dialup connection

[Stefan Pantke <seaside.ki () mac com>]

Am 25.06.2004 um 20:27 schrieb Dave Piscitello:

> At 04:56 PM 6/25/2004 +0200, you wrote:
> > > Port 50/TCP is remote mail checking protocol. Are you using this?
> >
> > No, I meant IP protocol 50.
>
> Won't this trigger a connection if you are periodically checking mail?

No. IP protocol 50 is ESP, securely encapsulated payload.

I will check if email checking is enabled, but most likely, this
is not the case.

> I don't use this protocol so I'm not certain, but on many VPN 
> implementations any traffic to a non-local destination will trigger a 
> switched/dialup connection and consequent IKE exchange (if tunnel is 
> not active).
>
> > > Depending on your session duration parameter, IKE will refresh keys 
> > > (according to your security policy) So I'd check this value?
> >
> > IKE lifetime 8 hours
> > VPN lifetime 5 minutes - to not force the line to be kept open
>
> I think this might be your problem. I don't believe cisco's 
> implementation correlates IPsec SA and dialup status. With your
> 5 minute IPsec SA lifetime, you have told the PIX, "refresh the IPsec 
> SA keys every 5 minutes", then it may do so irrespective of whether 
> you have an ISDN or dialup connection in the "disconnected" state.

This is a new config to check, if things change.

Regarding IKE lifetime, this is documented:

>>>
IPSec negotiation can be broken down into five steps, including two 
Internet Key Exchange (IKE) phases.
	1.  An IPSec tunnel is initiated by interesting traffic. Traffic is 
considered interesting when it is traveling between the IPSec peers.
	2.  In IKE Phase 1, the IPSec peers negotiate the established IKE 
Security Association (SA) policy. Once the peers are authenticated, a 
secure tunnel is created using Internet Security Association and Key 
Management Protocol (ISAKMP).
	3.  In IKE Phase 2, the IPSec peers use the authenticated and secure 
tunnel to negotiate IPSec SA transforms. The negotiation of the shared 
policy determines how the IPSec tunnel will be established.
	4.  The IPSec tunnel is created and data is transferred between the 
IPSec peers based on the IPSec parameters configured in the IPSec 
transform sets.
	5.  The IPSec tunnel terminates when the IPSec SAs are deleted or when 
their lifetime expires.
<<<

> Try raising your IPsec SA lifetime to 1 hour to see if you eliminate 
> the dial. If so, then look up how you can set an auto dial capability 
> on your ISDN line to only keep the line up when idle for 5 minutes.

The lifetime was before this change 8 hours - and PIX was dialing.

> > Currently my main question is this:
> >
> > - Is a CISCO PIX based IPsec VPN supposed to keep the outside 
> > interface
> >   quiet as long as no new traffic arrives?
>
> I recall there's an ISO command that says what traffic initiates an 
> outgoing call but I do not recall the command itself.

Yes, a filter might be required, if some interesting traffic is really
injected from the LAN to the PIX.

Stefab

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards