From: V Shekhar (vshekhar25@yahoo.com)
Date: Mon Nov 13 2006 - 11:23:58 ART
Good Info Richard. Although i have never encountered the problem of SA Mismatch with both peers both in Checkpoint and Cisco IOS.
Although the snipet from the RFC is a good info.
-sHekHar.
----- Original Message ----
From: Richard Dumoulin <Richard.Dumoulin@vanco.fr>
To: tdt_cciesec <tdt_cciesec@yahoo.com>; Tim <ccie2be@nyc.rr.com>; security@groupstudy.com; ccielab@groupstudy.com
Sent: Monday, November 13, 2006 7:02:06 PM
Subject: RE : RE : vpn -- SA lifetime
Yes I have noticed that some IOS versions do not follow this and others do
(for instance my real 7200 router does but not the 3640 on dynamips) . Also
have a look at the book "network security principles and practices", the IPSec
chapter. The reason is that when IKE is first negotiated, there is still not a
trust relationship. Basically it is more secure not to accept any lifetime
proposal greater than the one on the server.
So "absolutely NOT true" is a bit harsh.
In conclusion, it seems that Cisco behaves differently depending on the IOS
version (depending on the programmer?). See
http://www3.ietf.org/proceedings/01aug/I-D/draft-ietf-ipsec-ike-lifetime-00.t
xt for recommendations.
Regarding Phase 2 lifetimes be careful when working with different vendors.
This is what RFC 2407 says:
4.5.4 Lifetime Notification
When an initiator offers an SA lifetime greater than what the
responder desires based on their local policy, the responder has
three choices: 1) fail the negotiation entirely; 2) complete the
negotiation but use a shorter lifetime than what was offered; 3)
complete the negotiation and send an advisory notification to the
initiator indicating the responder's true lifetime. The choice of
what the responder actually does is implementation specific and/or
based on local policy.
Regards
-- Richard
-----Message d'origine-----
De : tdt_cciesec [mailto:tdt_cciesec@yahoo.com]
Envoyi : Monday, November 13, 2006 1:02 PM
@ : Richard Dumoulin; Tim; security@groupstudy.com; ccielab@groupstudy.com
Objet : Re: RE : vpn -- SA lifetime
What you said
"Actually it DOES matter. Try configuring an IKE sa lifetime of an IPSec
server (the one with a dynamic map) less than the one of the initiator and you
will see that the server rejects phase I."
is absolutely NOT true.
Pix ----(HUB VPN) --------------(spoke VPN)----Router
I set "isakmp pol 1 life 360" on the Pix while I have "crypto isakmp pol 10,
lifetime 86400" on the Cisco router and the vpn still works, and that the Pix
is setup with "crypto dynamic map":
sysopt connection permit-ipsec
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config
isakmp identity address
isakmp enable outside
isakmp policy 1 authe pre
isakmp policy 1 encr 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 life 86400
crypto ipsec trans cisco esp-3des esp-md5-hmac
crypto dynamic cisco 10 match add 101
crypto dynamic cisco 10 set trans tset
crypto map cisco 10 ipsec-isakmp dynamic cmap
crypto map cisco interface outside
Feel free to correct me if I am wrong.
tdt
Richard Dumoulin <Richard.Dumoulin@vanco.fr> wrote:
Hi Tim,
Actually it DOES matter. Try configuring an IKE sa lifetime of an IPSec server
(the one with a dynamic map) less than the one of the initiator and you will
see that the server rejects phase I.
Also, having a Phase I lifetime greater than phase II is considered better
practice. I see Phase II like the control channel with features like DPD, spi
discovery (sync the SPIs. How will the peers synchronise if there is no
phaseI?)
Cheers
-- Richard
-----Message d'origine-----
De : Tim [mailto:ccie2be@nyc.rr.com]
Envoyi : Sunday, November 12, 2006 3:08 PM
@ : 'Richard Dumoulin'; security@groupstudy.com; ccielab@groupstudy.com
Objet : RE: vpn -- SA lifetime
Hey Richard,
How ya doing?
Thanks for our quick response.
Actually, the lifetimes can be different on the 2 peers - at least with
Cisco's implementation. The smaller lifetime wins.
But, that's a different issue than what I was wondering about.
My concern was with respect to the phase 1 versus phase 2 lifetimes on a
given peer.
So, let's say we're configuring Peer 1 and we configure this:
Peer 1
Phase 1 (ISAKMP)
SA lifetime....X
Phase 2 (IPSec)
SA lifetime....Y
Should X be equal to, bigger than or smaller than Y?
Does it matter? Why or why not?
Is there a "Best Practice" when it comes to this?
Thanks again,
Tim
-----Original Message-----
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: Sunday, November 12, 2006 8:56 AM
To: Tim; security@groupstudy.com; ccielab@groupstudy.com
Subject: RE : vpn -- SA lifetime
Phase 2 sa lifetimes need to be equal I believe at oth sides.
However Phase 1 sa lifetime of the initiator needs to be smaller than the
one of the server.
-- Richard
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com] De la part de Tim
Envoyi : Sunday, November 12, 2006 1:57 PM
@ : security@groupstudy.com; ccielab@groupstudy.com
Objet : vpn -- SA lifetime
Hi guys,
Lifetimes, for both the mgmt SA (ISAKMP) and the data SA's (IPSec), can be
configured independently.
That being the case, does it matter what the values are relative to one
another?
IOW, should the lifetime for the mgmt SA be equal to, smaller than or larger
than the data lifetime?
Is there a "Best Practice" when it comes to selecting these values?
I know the lifetime parameter can be left at its default value but I'd like
to know if one value is changed, should the other value also be changed and
how to think about this issue.
Thanks very much for any feedback on this.
Tim
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART