[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [vpn] Nokia Crypto Cluster <-> Cisco 1720
Joel, You are correct. There are some issues regarding this IKE implantation especially with Cisco. But lets go to the IKE 101 the SA stage. An IPSec connection consists of 1 IKE SA (Security Association) and at least 2 dependant IPSec SA. These SAs (Both IKE and IPSec) have an expiration: a. The IKE SA expires every 24 hours (Cisco Default) b. The IPSec expires every 1 hour (Cisco Default) Both IKE and IPSec SAs are identified by a unique SPI (Security Parameters Index). When used SPI are a Stateful relationship between 2 peer points. This state has info regarding but not limited to: a. Common secret keys b. Security Parameters c. Peer Identity This state information are established during: a. The main mode negotiation (MM) for IKE SA (1 SA). b. The quick mode negotiation (QM) for IPSec SAs (2 SAs). The problem is when the IKE SA expires (24 hr) it does not renegotiate a MM until a new IPSec SA (1 hr). Therefore, When a new IPSec SA is negotiated (QM every hour) before the IKE SA expires (every 24 hours). As soon as the IKE SA expires the link will go down until the next IPSec QM (The following hour) The sending host will send traffic into a black hole for the length of the IPSec SA lifetime (1 hour by defaults) until new QM is negotiated. According to Cisco this has been identified as a bug by Cisco and will be addressed in a future release of IOS. I hope this make sense. Regards, Alberto C. -----Original Message----- From: Raymakers, Guy [mailto:[email protected]] Sent: Friday, January 04, 2002 2:26 AM To: 'Joel M Snyder'; Markus Schlup Cc: [email protected] Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Joel, I'm using the same setup, some CC2500 central and some Cisco 1720's remote. It appears that the IKE negotiations and IKE renewal take some time. Therefore, I see sometimes that there's a gap of +- 2 a 3 minutes in the connections between these two systems. I've done some checking on this and the only explanation I've found is that the Cisco box is setting up a new IKE SA just before the existing one is expiring. That seems to confuse the nokia box and that's when the VPN connection is lost for a while. Have you seen the same behavior ? Best regards, Guy -----Original Message----- From: Joel M Snyder [mailto:[email protected]] Sent: Friday, December 28, 2001 20:05 To: Markus Schlup Cc: [email protected] Subject: Re: [vpn] Nokia Crypto Cluster <-> Cisco 1720 Our company wrote the training materials for the Nokia products. I'd be happy to help. Drop me an email. The short answer is that you should have no problems---the CC product line is very compliant with the RFCs, and while there are certain restrictions in the Cisco commands for setting this sort of stuff up, none of those will cause any grief with the Nokia boxes. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone:(v)(FAX) >I'm looking for somebody with experience in setting up >a VPN between the above mentioned VPN devices. I'm >still trying without any luck to get the two >communicate with each other. Searching the net did not >give me any hints. Any configs that you may share? >Thanks, >Markus >__________________________________________________ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|