| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] [vpn] Nokia Crypto Cluster <-> Cisco 1720
Joel,
You are correct. There are some issues regarding this IKE
implantation especially with Cisco.
But lets go to the IKE 101 the SA stage.
An IPSec connection consists of 1 IKE SA (Security Association) and at least
2 dependant IPSec SA.
These SAs (Both IKE and IPSec) have an expiration:
a. The IKE SA expires every 24 hours (Cisco Default)
b. The IPSec expires every 1 hour (Cisco Default)
Both IKE and IPSec SAs are identified by a unique SPI (Security Parameters
Index).
When used SPI are a Stateful relationship between 2 peer points.
This state has info regarding but not limited to:
a. Common secret keys
b. Security Parameters
c. Peer Identity
This state information are established during:
a. The main mode negotiation (MM) for IKE SA (1 SA).
b. The quick mode negotiation (QM) for IPSec SAs (2 SAs).
The problem is when the IKE SA expires (24 hr) it does not renegotiate a MM
until a new IPSec SA (1 hr).
Therefore,
When a new IPSec SA is negotiated (QM every hour) before the IKE SA expires
(every 24 hours).
As soon as the IKE SA expires the link will go down until the next IPSec QM
(The following hour)
The sending host will send traffic into a black hole for the length of the
IPSec SA lifetime (1 hour by defaults)
until new QM is negotiated.
According to Cisco this has been identified as a bug by Cisco and will be
addressed in a future release of IOS.
I hope this make sense.
Regards,
Alberto C.
-----Original Message-----
From: Raymakers, Guy [mailto:[email protected]]
Sent: Friday, January 04, 2002 2:26 AM
To: 'Joel M Snyder'; Markus Schlup
Cc: [email protected]
Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720
Joel,
I'm using the same setup, some CC2500 central and some Cisco 1720's remote.
It appears that the IKE negotiations and IKE renewal take some time.
Therefore, I see sometimes that there's a gap of +- 2 a 3 minutes in the
connections between these two systems. I've done some checking on this and
the only explanation I've found is that the Cisco box is setting up a new
IKE SA just before the existing one is expiring. That seems to confuse the
nokia box and that's when the VPN connection is lost for a while. Have you
seen the same behavior ?
Best regards,
Guy
-----Original Message-----
From: Joel M Snyder [mailto:[email protected]]
Sent: Friday, December 28, 2001 20:05
To: Markus Schlup
Cc: [email protected]
Subject: Re: [vpn] Nokia Crypto Cluster <-> Cisco 1720
Our company wrote the training materials for the Nokia
products. I'd be happy to help. Drop me an email.
The short answer is that you should have no problems---the
CC product line is very compliant with the RFCs, and while
there are certain restrictions in the Cisco commands for
setting this sort of stuff up, none of those will cause any
grief with the Nokia boxes.
jms
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone:(v)(FAX)
>I'm looking for somebody with experience in setting up
>a VPN between the above mentioned VPN devices. I'm
>still trying without any luck to get the two
>communicate with each other. Searching the net did not
>give me any hints. Any configs that you may share?
>Thanks,
>Markus
>__________________________________________________
>Do You Yahoo!?
>Send your FREE holiday greetings online!
>http://greetings.yahoo.com
>VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
