From: tdt_cciesec (tdt_cciesec@yahoo.com)
Date: Mon Nov 13 2006 - 09:02:24 ART
What you said
"Actually it DOES matter. Try configuring an IKE sa lifetime of an IPSec server (the one with a dynamic map) less than the one of the initiator and you will see that the server rejects phase I."
is absolutely NOT true.
Pix ----(HUB VPN) --------------(spoke VPN)----Router
I set "isakmp pol 1 life 360" on the Pix while I have "crypto isakmp pol 10,
lifetime 86400" on the Cisco router and the vpn still works, and that the Pix
is setup with "crypto dynamic map":
sysopt connection permit-ipsec
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config
isakmp identity address
isakmp enable outside
isakmp policy 1 authe pre
isakmp policy 1 encr 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 life 86400
crypto ipsec trans cisco esp-3des esp-md5-hmac
crypto dynamic cisco 10 match add 101
crypto dynamic cisco 10 set trans tset
crypto map cisco 10 ipsec-isakmp dynamic cmap
crypto map cisco interface outside
Feel free to correct me if I am wrong.
tdt
Richard Dumoulin <Richard.Dumoulin@vanco.fr> wrote: Hi Tim,
Actually it DOES matter. Try configuring an IKE sa lifetime of an IPSec server (the one with a dynamic map) less than the one of the initiator and you will see that the server rejects phase I.
Also, having a Phase I lifetime greater than phase II is considered better practice. I see Phase II like the control channel with features like DPD, spi discovery (sync the SPIs. How will the peers synchronise if there is no phaseI?)
Cheers
-- Richard
-----Message d'origine-----
De : Tim [mailto:ccie2be@nyc.rr.com]
Envoyi : Sunday, November 12, 2006 3:08 PM
@ : 'Richard Dumoulin'; security@groupstudy.com; ccielab@groupstudy.com
Objet : RE: vpn -- SA lifetime
Hey Richard,
How ya doing?
Thanks for our quick response.
Actually, the lifetimes can be different on the 2 peers - at least with
Cisco's implementation. The smaller lifetime wins.
But, that's a different issue than what I was wondering about.
My concern was with respect to the phase 1 versus phase 2 lifetimes on a
given peer.
So, let's say we're configuring Peer 1 and we configure this:
Peer 1
Phase 1 (ISAKMP)
SA lifetime....X
Phase 2 (IPSec)
SA lifetime....Y
Should X be equal to, bigger than or smaller than Y?
Does it matter? Why or why not?
Is there a "Best Practice" when it comes to this?
Thanks again,
Tim
-----Original Message-----
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: Sunday, November 12, 2006 8:56 AM
To: Tim; security@groupstudy.com; ccielab@groupstudy.com
Subject: RE : vpn -- SA lifetime
Phase 2 sa lifetimes need to be equal I believe at oth sides.
However Phase 1 sa lifetime of the initiator needs to be smaller than the
one of the server.
-- Richard
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com] De la part de Tim
Envoyi : Sunday, November 12, 2006 1:57 PM
@ : security@groupstudy.com; ccielab@groupstudy.com
Objet : vpn -- SA lifetime
Hi guys,
Lifetimes, for both the mgmt SA (ISAKMP) and the data SA's (IPSec), can be
configured independently.
That being the case, does it matter what the values are relative to one
another?
IOW, should the lifetime for the mgmt SA be equal to, smaller than or larger
than the data lifetime?
Is there a "Best Practice" when it comes to selecting these values?
I know the lifetime parameter can be left at its default value but I'd like
to know if one value is changed, should the other value also be changed and
how to think about this issue.
Thanks very much for any feedback on this.
Tim
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART