05-03-2012 04:31 AM
- What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time
- Also What is the recommended values for IKE and IPSEC life time?
- Which life time should be set greater than other one OR should they equal? What is the best practice?
Solved! Go to Solution.
05-03-2012 06:37 AM
What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time
An IKE negotiation is performed in two phases. The first phase, phase-1, is used to authenticate the two VPN gateways or VPN Clients to each other, by confirming that the remote gateway has a matching Pre-Shared Key.
However since we do not want to publish too much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done by the initiator sending a proposal to the responder. When this has been done, and the responder acepts the proposal, we try to authenticate the other end of the VPN to make sure it is who we think it is, as well as proving to the remote gateway that we are who we are.
Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method.
In phase two, another negotiation is performed, detailing the parameters for the IPsec connection.
In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow.
If PFS, Perfect Forwarding Secrecy, is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.
Once the phase-2 negotiation is finished, the VPN connection is established and ready for use.
Also What is the recommended values for IKE and IPSEC life time?
IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1 and 3600 (1 hour) is a common value for Phase 2
Which life time should be set greater than other one OR should they equal? What is the best practice?
05-04-2012 08:18 AM
Great Explaination! But I saw there is one more parameter which is "idle-time" in phase-2.
set security ipsec vpn t<name of vpn> ike idle-time
What is this idle-time? what is its default value?
05-07-2012 03:03 AM
The IPsec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity. So in your case if you dont set this value the SA expires on the lifetime you specify in the config.
07-31-2015 09:06 AM
We are having a problem in our IPSec tunnel related with timeouts.
We set 1 day timeout for Phase 1 (P1) and 1 hour timeout for Phase2 (P2)
When started from cold it runs perfectly.
But when P2 gets it's timeout the Juniper deletes the P1.
On the other part (RouterOs device), when the P2 gets its timeout the P1 it's yet alive until it arrives at its timeout (1 day).
Obviously if we get traffic from the RouterOs router it tries to create a new P2 connection using the alive P1. But the Juniper don't knows nothing about that P1 and do not accepts the renegotiation of the new P2 connection.
The VPN tunnel don't has any persistent connection (Bd connection, SSH, RDP) when the P2 gets its timeout.