Re: IKE and IPSec SA Lifetimes.

[Vibhore <vibhorejn () gmail com>]

Hi Aditya, Alexandre,

Just to add to this discussion. IKE(v1) and IPSec life times are
negotiated on most of the major gateways and clients and I have test
IPSec clients with many gateways and haven't seen something like
lifetime mismatch. In case of IKEv2, rekey works independent of the
lifetime values specified on both the peers.

NAT-T plays an important role because a machine internal to NAT-T
disabled network can reach any machine outside but any external
machine can reach only one of the internal machines if NAT-T is
disabled.

DPD is an important aspect of IPSec. Aditya is correct in stating that
DPD doesn't have any major negative impact on connections and is used
to check the heartbeat of the tunnel. Many gateways and clients allow
configuring DPD timeout value and one can configure it as per need. If
for some reason, any of the peer is not able to reply with DPD
informational messages, other end tears down the tunnel.

I hope this helps you.
Have a nice day.

===><===
Vibhore Jain
Test Engineer, SafeNet SoftRemote IPSec clients

On Wed, Aug 13, 2008 at 9:11 AM, ॐ aditya mukadam ॐ
<aditya.mukadam () gmail com> wrote:
> Alexandre,
>
> You are right in your understanding , IKE Phase -1 (ISAKMP) life time
> should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1
> day) is a common default  and is normal value for Phase 1.
>
> Many vendor devices have their own default Phase 1 & 2 lifetimes.For
> example, PIX/ASA have different default phase 2 lifetime than Cisco
> Routers.These values can be changed.
>
> Possible issues/suggestions:
> 1) There can be ' SA Life time mismatch ' between the two peers( It
> can be debated that if both devices donot have same lifetime , the
> tunnel won't come up. However, my experience suggests that many times
> tunnels do come up for strange reasons ). So,please confirm both the
> phase 1 & 2 life times match with the peers.This has to be
> standardized with your 50 sites !
> 2) Configure keep alive between the two devices. This will make sure
> that the tunnel is up in case the peers are timing out unexpectedly.
>
> Hope this helps.Let me know if any questions.
>
> Thanks,
> Aditya Govind Mukadam
>
>
> On Tue, Aug 12, 2008 at 2:34 PM, Alexandre Verriere
> <alexandre.verriere () gmail com> wrote:
> > HI all !
> >
> > We are working with VPNs between Zyxel routers and we have a strange issue.
> >
> > VPN dies and there are  IKE retransmit messages send until limit is reached.
> > BTW I'm not the person who
> > Configure  the routers and I noticed that IKE ans IPsec SA are set with the
> > same time value as 86400.
> >
> > My question is: Usualy  IKE SA lifetime are greater than IPSec SA lifetimes,
> > and are theses settings responsible of the troubles we have?
> >
> > Since we are in production environnement, I ask this question cause we have
> > 50+ VPNS and I'm struggling to find where's the catch.
> >
> > If anyone can help…
> >
> > Thanks in advance.
> >
> > Alexandre Verriere.