Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  I would like to change the key lifetime from 3600 to someting diffferent on my VPN

    Posted 01-25-2011 17:25
      |   view attached

    I am running SSG5 VPN Gateway to Gateway. Site A Linksys router initiates the connection via Aggressive mode since he has a non static IP address. Site B hosts the SSG which has a Static. I set the VPN up on the SSG and it works great however I get logs every hour on the hour reconnection:

     

    Jan 25 19:55:56 10.1.x.x ssg5-serial-wlan: NetScreen device_id=0162012008004720  [Root]system-information-00536: IKE 67.163.xxx.xxx Phase 2 msg ID b940ce85: Completed negotiations with SPI 5a3846b6, tunnel ID 15, and lifetime 3600 seconds/0 KB. (2011-01-25 20:03:13)

     

    I have changed the IPSec Key Lifetime from 3600 to 43200 (from the Linksys) however I am sure I need to change it somewhere in the VPN setup in my SSG I just don’t see anything to change.

     

    Any help would be great. I will not forward my config unless it is requested. I have added a screen shot of the portion of my Gateway VPN setting that I think I need to change.



  • 2.  RE: I would like to change the key lifetime from 3600 to someting diffferent on my VPN

    Posted 01-25-2011 18:12

    The Phase 1 and Phase 2 lifetimes are actually set under the Phase 1 and Phase 2 Proposals. Make a custom proposal for the desired phase and set the lifetime as needed.



  • 3.  RE: I would like to change the key lifetime from 3600 to someting diffferent on my VPN
    Best Answer

    Posted 01-25-2011 18:16

    Ahhh, you beat me to it Kevin.  I typed a lot more to give the same basic information.  🙂

     



  • 4.  RE: I would like to change the key lifetime from 3600 to someting diffferent on my VPN

    Posted 01-25-2011 18:15

    Those messages are harmless, they're just letting you know that the firewalls are doing what they're supposed to do and rekeying the IPSec tunnel periodically (default 1 hour).

     

    If you really want to increase the IPSec SA lifetime, it's done in the Phase 2 Proposal on the SSG.  The screenshot you sent has an arrow pointing to Dead Peer Detection / Hearbeat settings, which are Phase 1 settings.

     

    You'll need to create a custom Phase 2 proposal (VPNs -> Autokey Advanced -> P2 Proposal) with the SA lifetime you want there.  Then you'll need to set your VPN (VPNs -> Autokey IKE -> your VPN -> Advanced) to use the custom Phase 2 Proposal that you created.

     

    You'll want to make sure that the Linksys is set for a Phase 2 lifetime of the same value you set on your SSG.  Often times those smaller firewall/routers don't separate the terminology and they confuse Phase 1 and Phase 2 settings.  Phase 1 and Phase 2 have independent lifetime settings.



  • 5.  RE: I would like to change the key lifetime from 3600 to someting diffferent on my VPN

    Posted 01-26-2011 02:46

    Thanks I will give it a shot and let you know how it turns out. I have the phase2 Gateway already created so I will just modify the setttings I sent in the screen shot.

     



  • 6.  RE: I would like to change the key lifetime from 3600 to someting diffferent on my VPN

    Posted 01-26-2011 04:29

    Thanks for the input it worked fine.