SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 796
Registered: ‎06-30-2009
0 Kudos
Accepted Solution

IKE life time VS IPSEC life time

Hi Experts

 

- What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time

- Also What is the recommended values for IKE and IPSEC life time?

- Which life time should be set greater than other one OR should they equal? What is the best practice?

 

Thanks

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: IKE life time VS IPSEC life time

What is the difference between IKE and IPSEC life time? I believe its PHASE-1 and PHASE-2 life time

 

An IKE negotiation is performed in two phases. The first phase, phase-1, is used to authenticate the two VPN gateways or VPN Clients to each other, by confirming that the remote gateway has a matching Pre-Shared Key.

 

However since we do not want to publish too much of the negotiation in plaintext, we first agree upon a way of protecting the rest of the IKE negotiation. This is done by the initiator sending a proposal to the responder. When this has been done, and the responder acepts the proposal, we try to authenticate the other end of the VPN to make sure it is who we think it is, as well as proving to the remote gateway that we are who we are.

 

Authentication can be accomplished through Pre-Shared Keys, certificates or public key encryption. Pre-Shared Keys is the most common authentication method.

 

In phase two, another negotiation is performed, detailing the parameters for the IPsec connection.

In phase-2 we will also extract new keying material from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow.

If PFS, Perfect Forwarding Secrecy, is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.

Once the phase-2 negotiation is finished, the VPN connection is established and ready for use.

 

Also What is the recommended values for IKE and IPSEC life time?

 

IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1 and 3600 (1 hour) is a common value for Phase 2

 

Which life time should be set greater than other one OR should they equal? What is the best practice?

 

As above.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Posts: 796
Registered: ‎06-30-2009
0 Kudos

Re: IKE life time VS IPSEC life time

Great Explaination! But I saw there is one more parameter which is "idle-time" in phase-2.

 

set security ipsec vpn t<name of vpn> ike idle-time

 

What is this idle-time? what is its default value?

 

Thanks

Highlighted
Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: IKE life time VS IPSEC life time

Hi Aeroplane, 

 

The IPsec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.


If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.  So in your case if you dont set this value the SA expires on the lifetime you specify in the config.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
New User
Posts: 2
Registered: ‎07-31-2015
0 Kudos

Re: IKE life time VS IPSEC life time

Hi!

 

We are having a problem in our IPSec tunnel related with timeouts.

 

We set 1 day timeout for Phase 1 (P1) and 1 hour timeout for Phase2 (P2)

 

When started from cold it runs perfectly.

 

But when P2 gets it's timeout the Juniper deletes the P1.

 

On the other part (RouterOs device), when the P2 gets its timeout the P1 it's yet alive until it arrives at its timeout (1 day).

 

Obviously if we get traffic from the RouterOs router it tries to create a new P2 connection using the alive P1. But the Juniper don't knows nothing about that P1 and do not accepts the renegotiation of the new P2 connection.

 

The VPN tunnel don't has any persistent connection (Bd connection, SSH, RDP) when the P2 gets its timeout.

 

Regards,

.. //\/ e t .\/ i c i o u s ..
Visitor
Posts: 5
Registered: ‎09-22-2010
0 Kudos

Re: IKE life time VS IPSEC life time

Im working on a solution for a mobile vehicle, which can connect over various 3G/4G/Satellite or Wifi bridge connections to the internet. We need to establish a VPN that will be quick to drop the inactive session and re-establish a new session. The new sessions wil have a different source IP, based on whatever mobile data carrier we are using. 

 

I have a VPN that is working, but its taking ~3 mins to reconnect if we change the network to one of the other connections.

 

what timers, or lifetimes should i configure to the most optimal reconnect times.

Recognized Expert
Posts: 155
Registered: ‎12-21-2012
0 Kudos

Re: IKE life time VS IPSEC life time

You should use vpn-monitor if both vpns are Juniper.

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.