SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0
Accepted Solution

IKE life time VS IPSEC life time

Hi Experts

 

- What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time

- Also What is the recommended values for IKE and IPSEC life time?

- Which life time should be set greater than other one OR should they equal? What is the best practice?

 

Thanks

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010
0

Re: IKE life time VS IPSEC life time

What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time

 

An IKE negotiation is performed in two phases. The first phase, phase-1, is used to authenticate the two VPN gateways or VPN Clients to each other, by confirming that the remote gateway has a matching Pre-Shared Key.

 

However since we do not want to publish too much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done by the initiator sending a proposal to the responder. When this has been done, and the responder acepts the proposal, we try to authenticate the other end of the VPN to make sure it is who we think it is, as well as proving to the remote gateway that we are who we are.

 

Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method.

 

In phase two, another negotiation is performed, detailing the parameters for the IPsec connection.

In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow.

If PFS, Perfect Forwarding Secrecy, is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.

Once the phase-2 negotiation is finished, the VPN connection is established and ready for use.

 

Also What is the recommended values for IKE and IPSEC life time?

 

IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1 and 3600 (1 hour) is a common value for Phase 2

 

Which life time should be set greater than other one OR should they equal? What is the best practice?

 

As above.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IKE life time VS IPSEC life time

Great Explaination! But I saw there is one more parameter which is "idle-time" in phase-2.

 

set security ipsec vpn t<name of vpn> ike idle-time

 

What is this idle-time? what is its default value?

 

Thanks

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010
0

Re: IKE life time VS IPSEC life time

Hi Aeroplane, 

 

The IPsec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.


If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.  So in your case if you dont set this value the SA expires on the lifetime you specify in the config.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.