Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Ike phase 1 rekey & timeout

Reply
Thread Tools

Ike phase 1 rekey & timeout

 
 
fahad
Guest
Posts: n/a
 
      03-18-2008
Hi

I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
interval as 60 seconds. Now this side is not getting any keepalives
from anyother router, so will the phase 1 rekey, or due to keepalive
timeout Phase 1 & phae 2 SAs should be deleted? I think since both
features are not related & since I am not getting any keepalives Phase
1 & phase 2 SAs should be deleted irrespectve of successful rekey
because keepalive timeout has occured.
Thanks
Fahad
 
Reply With Quote
 
 
 
 
News Reader
Guest
Posts: n/a
 
      03-18-2008
fahad wrote:
> Hi
>
> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> interval as 60 seconds. Now this side is not getting any keepalives
> from anyother router, so will the phase 1 rekey, or due to keepalive
> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
> features are not related & since I am not getting any keepalives Phase
> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> because keepalive timeout has occured.
> Thanks
> Fahad


When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
are referring to the ISAKMP policy command "lifetime".

The default is likely once per day (86,400 sec.).

You might want a lifetime of an hour (3600 sec.).

Can't image why you would want such a short lifetime as 60 seconds.

When do you plan to forward traffic, if all you are doing is building
and tearing down SAs?

Best regards,
News Reader
 
Reply With Quote
 
 
 
 
fahad
Guest
Posts: n/a
 
      03-19-2008
On Mar 19, 1:16*am, News Reader <(E-Mail Removed)> wrote:
> fahad wrote:
> > Hi

>
> > I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> > interval as 60 seconds. Now this side is not getting any keepalives
> > from anyother router, so will the phase 1 rekey, or due to keepalive
> > timeout Phase 1 & phae 2 SAs should be deleted? I think since both
> > features are not related & since I am not getting any keepalives Phase
> > 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> > because keepalive timeout has occured.
> > Thanks
> > Fahad

>
> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
> are referring to the ISAKMP policy command "lifetime".
>
> The default is likely once per day (86,400 sec.).
>
> You might want a lifetime of an hour (3600 sec.).
>
> Can't image why you would want such a short lifetime as 60 seconds.
>
> When do you plan to forward traffic, if all you are doing is building
> and tearing down SAs?
>
> Best regards,
> News Reader


Hi

Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
duration as SAME then will the isakmp & ipsec SAs will be deleted or
since rekey is happening so no need to delete the SAs as peer is
reachable. Note that I am not getting any keepalives from any side. If
there is any rfc or draft for keepalives or heartbeat then plz let me
know. I know DPD but the behavior of keepalives is still not clear to
me
Thanks
Fahad
 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-19-2008
fahad wrote:
> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
>> fahad wrote:
>>> Hi
>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
>>> interval as 60 seconds. Now this side is not getting any keepalives
>>> from anyother router, so will the phase 1 rekey, or due to keepalive
>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
>>> features are not related & since I am not getting any keepalives Phase
>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
>>> because keepalive timeout has occured.
>>> Thanks
>>> Fahad

>> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
>> are referring to the ISAKMP policy command "lifetime".
>>
>> The default is likely once per day (86,400 sec.).
>>
>> You might want a lifetime of an hour (3600 sec.).
>>
>> Can't image why you would want such a short lifetime as 60 seconds.
>>
>> When do you plan to forward traffic, if all you are doing is building
>> and tearing down SAs?
>>
>> Best regards,
>> News Reader

>
> Hi
>
> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
> ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
> duration as SAME then will the isakmp & ipsec SAs will be deleted or
> since rekey is happening so no need to delete the SAs as peer is
> reachable. Note that I am not getting any keepalives from any side. If
> there is any rfc or draft for keepalives or heartbeat then plz let me
> know. I know DPD but the behavior of keepalives is still not clear to
> me
> Thanks
> Fahad



Assuming I am correct that there is no reasonable circumstance for
setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
important to you to know what would happen with such a configuration?

The "crypto isakmp keepalive" command specifies the number of seconds
between DPD (Dead Peer Detection) messages.

When a crypto endpoint does not receive "three" keepalives in a row (3 x
isakmp keepalive interval), it tears down the SAs.

You are tearing down the SAs due to the "isakmp sa lifetime" at, or
around the time you would be receiving your first keepalive.


You may want to consult the Cisco IOS Security Command Reference,
Release 12.3 T

http://www.cisco.com/en/US/docs/ios/...html#wp1199835


If your next question is - what if I change the the "isakmp sa lifetime"
to equal three times the "isakmp sa keepalive", I'm going to hang up on
you. ;>)

Best regards,
News Reader
 
Reply With Quote
 
fahad
Guest
Posts: n/a
 
      03-20-2008
Hi

Thanks for that link. By the way I gave 60 seconds SA duration just as
an example . Perhaps I was not able to phrase my statements
properly. The question is if I get 3rd keepalive & at the same time my
isakmp SA tears down will the ipsec SA should also tear down as I have
received 3rd keepalive or it should continue with the new Isakmp SA &
older ipsec sa. Of course now change isakmp duration to around 1500
sec

Regards
Fahad

On Mar 20, 12:39*am, News Reader <(E-Mail Removed)> wrote:
> fahad wrote:
> > On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
> >> fahad wrote:
> >>> Hi
> >>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> >>> interval as 60 seconds. Now this side is not getting any keepalives
> >>> from anyother router, so will the phase 1 rekey, or due to keepalive
> >>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
> >>> features are not related & since I am not getting any keepalives Phase
> >>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> >>> because keepalive timeout has occured.
> >>> Thanks
> >>> Fahad
> >> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
> >> are referring to the ISAKMP policy command "lifetime".

>
> >> The default is likely once per day (86,400 sec.).

>
> >> You might want a lifetime of an hour (3600 sec.).

>
> >> Can't image why you would want such a short lifetime as 60 seconds.

>
> >> When do you plan to forward traffic, if all you are doing is building
> >> and tearing down SAs?

>
> >> Best regards,
> >> News Reader

>
> > Hi

>
> > Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
> > ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
> > duration as SAME then will the isakmp & ipsec SAs will be deleted or
> > since rekey is happening so no need to delete the SAs as peer is
> > reachable. Note that I am not getting any keepalives from any side. If
> > there is any rfc or draft for keepalives or heartbeat then plz let me
> > know. I know DPD but the behavior of keepalives is still not clear to
> > me
> > Thanks
> > Fahad

>
> Assuming I am correct that there is no reasonable circumstance for
> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
> important to you to know what would happen with such a configuration?
>
> The "crypto isakmp keepalive" command specifies the number of seconds
> between DPD (Dead Peer Detection) messages.
>
> When a crypto endpoint does not receive "three" keepalives in a row (3 x
> isakmp keepalive interval), it tears down the SAs.
>
> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
> around the time you would be receiving your first keepalive.
>
> You may want to consult the Cisco IOS Security Command Reference,
> Release 12.3 T
>
> http://www.cisco.com/en/US/docs/ios/.../reference/sec...
>
> If your next question is - what if I change the the "isakmp sa lifetime"
> to equal three times the "isakmp sa keepalive", I'm going to hang up on
> you. ;>)
>
> Best regards,
> News Reader- Hide quoted text -
>
> - Show quoted text -


 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-20-2008
You won't let go of the "same time", will you? ;>)

Maybe this will help:

I just examined the ISAKMP SA and IPSEC SAs on a router with the
following commands:

show crypto isakmp sa detail , note remaining lifetime and connection-id.
show crypto ipsec sa detail , note remaining lifetime.


I then cleared the existing ISAKMP SA with the following command:

clear crypto isakmp <connection-id>


I did the ISAKMP show command again to confirm that the ISAKMP SA had
been cleared/deleted.

I did the IPSEC show command again and found that the IPSec SAs
continued to exist for the remainder of their lifetimes.

This tells me that the two SA types are independent. The
expiration/deletion of the ISAKMP SA did not result in the IPSec SAs
being torn down.

When the IPSec SAs were due to timeout, a new ISAKMP SA was created
(phase 1), and then new IPSec SAs were created (phase 2).

Best regards,
News Reader


fahad wrote:
> Hi
>
> Thanks for that link. By the way I gave 60 seconds SA duration just as
> an example . Perhaps I was not able to phrase my statements
> properly. The question is if I get 3rd keepalive & at the same time my
> isakmp SA tears down will the ipsec SA should also tear down as I have
> received 3rd keepalive or it should continue with the new Isakmp SA &
> older ipsec sa. Of course now change isakmp duration to around 1500
> sec
>
> Regards
> Fahad
>
> On Mar 20, 12:39 am, News Reader <(E-Mail Removed)> wrote:
>> fahad wrote:
>>> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
>>>> fahad wrote:
>>>>> Hi
>>>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
>>>>> interval as 60 seconds. Now this side is not getting any keepalives
>>>>> from anyother router, so will the phase 1 rekey, or due to keepalive
>>>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
>>>>> features are not related & since I am not getting any keepalives Phase
>>>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
>>>>> because keepalive timeout has occured.
>>>>> Thanks
>>>>> Fahad
>>>> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
>>>> are referring to the ISAKMP policy command "lifetime".
>>>> The default is likely once per day (86,400 sec.).
>>>> You might want a lifetime of an hour (3600 sec.).
>>>> Can't image why you would want such a short lifetime as 60 seconds.
>>>> When do you plan to forward traffic, if all you are doing is building
>>>> and tearing down SAs?
>>>> Best regards,
>>>> News Reader
>>> Hi
>>> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
>>> ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
>>> duration as SAME then will the isakmp & ipsec SAs will be deleted or
>>> since rekey is happening so no need to delete the SAs as peer is
>>> reachable. Note that I am not getting any keepalives from any side. If
>>> there is any rfc or draft for keepalives or heartbeat then plz let me
>>> know. I know DPD but the behavior of keepalives is still not clear to
>>> me
>>> Thanks
>>> Fahad

>> Assuming I am correct that there is no reasonable circumstance for
>> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
>> important to you to know what would happen with such a configuration?
>>
>> The "crypto isakmp keepalive" command specifies the number of seconds
>> between DPD (Dead Peer Detection) messages.
>>
>> When a crypto endpoint does not receive "three" keepalives in a row (3 x
>> isakmp keepalive interval), it tears down the SAs.
>>
>> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
>> around the time you would be receiving your first keepalive.
>>
>> You may want to consult the Cisco IOS Security Command Reference,
>> Release 12.3 T
>>
>> http://www.cisco.com/en/US/docs/ios/.../reference/sec...
>>
>> If your next question is - what if I change the the "isakmp sa lifetime"
>> to equal three times the "isakmp sa keepalive", I'm going to hang up on
>> you. ;>)
>>
>> Best regards,
>> News Reader- Hide quoted text -
>>
>> - Show quoted text -

>

 
Reply With Quote
 
fahad
Guest
Posts: n/a
 
      03-21-2008
Hi

Yes thats the point I wanted to tell---- If Isakmp & Ipsec SAs are
there & Phase1 rekey fails (due to shutdown or change in IP address)
before keepalive timeout then Keepalive timer will be deleted bcoz
there is no isakmp SA & Ipsec SA will be there till it rekeys & fails
to rekey. The same is the case with DPD also. The soluiton might be
that give Isakmp SA duration more than IPsec SA duration. No SAME
TIME this time.

Regards

Fahad

On Mar 21, 2:27*am, News Reader <(E-Mail Removed)> wrote:
> You won't let go of the "same time", will you? ;>)
>
> Maybe this will help:
>
> I just examined the ISAKMP SA and IPSEC SAs on a router with the
> following commands:
>
> show crypto isakmp sa detail , note remaining lifetime and connection-id.
> show crypto ipsec sa detail , note remaining lifetime.
>
> I then cleared the existing ISAKMP SA with the following command:
>
> clear crypto isakmp <connection-id>
>
> I did the ISAKMP show command again to confirm that the ISAKMP SA had
> been cleared/deleted.
>
> I did the IPSEC show command again and found that the IPSec SAs
> continued to exist for the remainder of their lifetimes.
>
> This tells me that the two SA types are independent. The
> expiration/deletion of the ISAKMP SA did not result in the IPSec SAs
> being torn down.
>
> When the IPSec SAs were due to timeout, a new ISAKMP SA was created
> (phase 1), and then new IPSec SAs were created (phase 2).
>
> Best regards,
> News Reader
>
>
>
> fahad wrote:
> > Hi

>
> > Thanks for that link. By the way I gave 60 seconds SA duration just as
> > an example . Perhaps I was not able to phrase my statements
> > properly. The question is if I get 3rd keepalive & at the same time my
> > isakmp SA tears down will the ipsec SA should also tear down as I have
> > received 3rd keepalive or it should continue with the new Isakmp SA &
> > older ipsec sa. Of course now change isakmp duration to around 1500
> > sec

>
> > Regards
> > Fahad

>
> > On Mar 20, 12:39 am, News Reader <(E-Mail Removed)> wrote:
> >> fahad wrote:
> >>> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
> >>>> fahad wrote:
> >>>>> Hi
> >>>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> >>>>> interval as 60 seconds. Now this side is not getting any keepalives
> >>>>> from anyother router, so will the phase 1 rekey, or due to keepalive
> >>>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
> >>>>> features are not related & since I am not getting any keepalives Phase
> >>>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> >>>>> because keepalive timeout has occured.
> >>>>> Thanks
> >>>>> Fahad
> >>>> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
> >>>> are referring to the ISAKMP policy command "lifetime".
> >>>> The default is likely once per day (86,400 sec.).
> >>>> You might want a lifetime of an hour (3600 sec.).
> >>>> Can't image why you would want such a short lifetime as 60 seconds.
> >>>> When do you plan to forward traffic, if all you are doing is building
> >>>> and tearing down SAs?
> >>>> Best regards,
> >>>> News Reader
> >>> Hi
> >>> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
> >>> ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
> >>> duration as SAME then will the isakmp & ipsec SAs will be deleted or
> >>> since rekey is happening so no need to delete the SAs as peer is
> >>> reachable. Note that I am not getting any keepalives from any side. If
> >>> there is any rfc or draft for keepalives or heartbeat then plz let me
> >>> know. I know DPD but the behavior of keepalives is still not clear to
> >>> me
> >>> Thanks
> >>> Fahad
> >> Assuming I am correct that there is no reasonable circumstance for
> >> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
> >> important to you to know what would happen with such a configuration?

>
> >> The "crypto isakmp keepalive" command specifies the number of seconds
> >> between DPD (Dead Peer Detection) messages.

>
> >> When a crypto endpoint does not receive "three" keepalives in a row (3 x
> >> isakmp keepalive interval), it tears down the SAs.

>
> >> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
> >> around the time you would be receiving your first keepalive.

>
> >> You may want to consult the Cisco IOS Security Command Reference,
> >> Release 12.3 T

>
> >>http://www.cisco.com/en/US/docs/ios/.../reference/sec...

>
> >> If your next question is - what if I change the the "isakmp sa lifetime"
> >> to equal three times the "isakmp sa keepalive", I'm going to hang up on
> >> you. ;>)

>
> >> Best regards,
> >> News Reader- Hide quoted text -

>
> >> - Show quoted text -- Hide quoted text -

>
> - Show quoted text -


 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-22-2008
"The same is the case with DPD also."? ... "The solution..."? ... I am
confused.

Perhaps it would have been best if you had stated the problem you were
trying to overcome, rather than starting with an obscure question.

Earlier, I had asked if you were referring to the command "crypto isakmp
keepalive" and you responded with "yes".

According to the Cisco IOS Security Configuration Guide, this command is
associated with Enabling IKE Dead Peer Detection. The purpose of the
command is - "Allows the gateway to send DPD messages to the router".


DPD Knowledge
.........................
Here are some excerpts from some documents I found that may be helpful:

DPD allows the router to detect a dead IKE peer, and when the router
detects the dead state, the router deletes the IPSec and IKE SAs to the
peer.

Keepalive packets are not sent if traffic is received. In addition, DPD
sends keepalive packets only if there is user traffic to send (and no
user traffic is received).

You can configure IKE DPD so that DPD sends the keepalive packets
whether or not there is outbound user data. That is, as long as there is
no inbound user data, the keepalive packets are sent at the configured
keepalive interval.


IKE Keepalives vs. DPD
.....................................
I found the following statements on the subject of: Restrictions for
Stateful Failover for IPSec

IKE keepalives are not supported. (Enabling this functionality will
cause the connection to be torn down after the standby router assumes
ownership control.) However, dead peer detection (DPD) and periodic DPD
are supported.

Clearly there is a difference between IKE Keepalives and DPD. Using a
command like "crypto isakmp keepalive" to enable DPD just causes more
confusion.

Like yourself, I don't know the difference.


Lifetimes
................
I use the same lifetime for ISAKMP and IPSec SAs. When the tunnel is
first coming up, if an ISAKMP SA is successfully established, the IPSec
SAs will be established shortly thereafter. The ISAKMP SA will be
renewed just before expiration of the IPSec SAs. If the ISAKMP SA is not
successfully renewed, then no renewal of the IPsec SAs shortly thereafter..


Best regards,
News Reader


fahad wrote:
> Hi
>
> Yes thats the point I wanted to tell---- If Isakmp & Ipsec SAs are
> there & Phase1 rekey fails (due to shutdown or change in IP address)
> before keepalive timeout then Keepalive timer will be deleted bcoz
> there is no isakmp SA & Ipsec SA will be there till it rekeys & fails
> to rekey. The same is the case with DPD also. The soluiton might be
> that give Isakmp SA duration more than IPsec SA duration. No SAME
> TIME this time.
>
> Regards
>
> Fahad
>
> On Mar 21, 2:27 am, News Reader <(E-Mail Removed)> wrote:
>> You won't let go of the "same time", will you? ;>)
>>
>> Maybe this will help:
>>
>> I just examined the ISAKMP SA and IPSEC SAs on a router with the
>> following commands:
>>
>> show crypto isakmp sa detail , note remaining lifetime and connection-id.
>> show crypto ipsec sa detail , note remaining lifetime.
>>
>> I then cleared the existing ISAKMP SA with the following command:
>>
>> clear crypto isakmp <connection-id>
>>
>> I did the ISAKMP show command again to confirm that the ISAKMP SA had
>> been cleared/deleted.
>>
>> I did the IPSEC show command again and found that the IPSec SAs
>> continued to exist for the remainder of their lifetimes.
>>
>> This tells me that the two SA types are independent. The
>> expiration/deletion of the ISAKMP SA did not result in the IPSec SAs
>> being torn down.
>>
>> When the IPSec SAs were due to timeout, a new ISAKMP SA was created
>> (phase 1), and then new IPSec SAs were created (phase 2).
>>
>> Best regards,
>> News Reader
>>
>>
>>
>> fahad wrote:
>>> Hi
>>> Thanks for that link. By the way I gave 60 seconds SA duration just as
>>> an example . Perhaps I was not able to phrase my statements
>>> properly. The question is if I get 3rd keepalive & at the same time my
>>> isakmp SA tears down will the ipsec SA should also tear down as I have
>>> received 3rd keepalive or it should continue with the new Isakmp SA &
>>> older ipsec sa. Of course now change isakmp duration to around 1500
>>> sec
>>> Regards
>>> Fahad
>>> On Mar 20, 12:39 am, News Reader <(E-Mail Removed)> wrote:
>>>> fahad wrote:
>>>>> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
>>>>>> fahad wrote:
>>>>>>> Hi
>>>>>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
>>>>>>> interval as 60 seconds. Now this side is not getting any keepalives
>>>>>>> from anyother router, so will the phase 1 rekey, or due to keepalive
>>>>>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
>>>>>>> features are not related & since I am not getting any keepalives Phase
>>>>>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
>>>>>>> because keepalive timeout has occured.
>>>>>>> Thanks
>>>>>>> Fahad
>>>>>> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
>>>>>> are referring to the ISAKMP policy command "lifetime".
>>>>>> The default is likely once per day (86,400 sec.).
>>>>>> You might want a lifetime of an hour (3600 sec.).
>>>>>> Can't image why you would want such a short lifetime as 60 seconds.
>>>>>> When do you plan to forward traffic, if all you are doing is building
>>>>>> and tearing down SAs?
>>>>>> Best regards,
>>>>>> News Reader
>>>>> Hi
>>>>> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
>>>>> ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
>>>>> duration as SAME then will the isakmp & ipsec SAs will be deleted or
>>>>> since rekey is happening so no need to delete the SAs as peer is
>>>>> reachable. Note that I am not getting any keepalives from any side. If
>>>>> there is any rfc or draft for keepalives or heartbeat then plz let me
>>>>> know. I know DPD but the behavior of keepalives is still not clear to
>>>>> me
>>>>> Thanks
>>>>> Fahad
>>>> Assuming I am correct that there is no reasonable circumstance for
>>>> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
>>>> important to you to know what would happen with such a configuration?
>>>> The "crypto isakmp keepalive" command specifies the number of seconds
>>>> between DPD (Dead Peer Detection) messages.
>>>> When a crypto endpoint does not receive "three" keepalives in a row (3 x
>>>> isakmp keepalive interval), it tears down the SAs.
>>>> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
>>>> around the time you would be receiving your first keepalive.
>>>> You may want to consult the Cisco IOS Security Command Reference,
>>>> Release 12.3 T
>>>> http://www.cisco.com/en/US/docs/ios/.../reference/sec...
>>>> If your next question is - what if I change the the "isakmp sa lifetime"
>>>> to equal three times the "isakmp sa keepalive", I'm going to hang up on
>>>> you. ;>)
>>>> Best regards,
>>>> News Reader- Hide quoted text -
>>>> - Show quoted text -- Hide quoted text -

>> - Show quoted text -

>

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-22-2008
I think there was a typo in one of the excerpts I pasted:

"DPD sends keepalive packets only if there is user traffic to send (and
no user traffic is received).

should probably read:

"DPD sends keepalive packets only if there is "NO" user traffic to send
(and no user traffic is received).

Best regards,
News Reader


News Reader wrote:
> "The same is the case with DPD also."? ... "The solution..."? ... I am
> confused.
>
> Perhaps it would have been best if you had stated the problem you were
> trying to overcome, rather than starting with an obscure question.
>
> Earlier, I had asked if you were referring to the command "crypto isakmp
> keepalive" and you responded with "yes".
>
> According to the Cisco IOS Security Configuration Guide, this command is
> associated with Enabling IKE Dead Peer Detection. The purpose of the
> command is - "Allows the gateway to send DPD messages to the router".
>
>
> DPD Knowledge
> ........................
> Here are some excerpts from some documents I found that may be helpful:
>
> DPD allows the router to detect a dead IKE peer, and when the router
> detects the dead state, the router deletes the IPSec and IKE SAs to the
> peer.
>
> Keepalive packets are not sent if traffic is received. In addition, DPD
> sends keepalive packets only if there is user traffic to send (and no
> user traffic is received).
>
> You can configure IKE DPD so that DPD sends the keepalive packets
> whether or not there is outbound user data. That is, as long as there is
> no inbound user data, the keepalive packets are sent at the configured
> keepalive interval.
>
>
> IKE Keepalives vs. DPD
> ....................................
> I found the following statements on the subject of: Restrictions for
> Stateful Failover for IPSec
>
> IKE keepalives are not supported. (Enabling this functionality will
> cause the connection to be torn down after the standby router assumes
> ownership control.) However, dead peer detection (DPD) and periodic DPD
> are supported.
>
> Clearly there is a difference between IKE Keepalives and DPD. Using a
> command like "crypto isakmp keepalive" to enable DPD just causes more
> confusion.
>
> Like yourself, I don't know the difference.
>
>
> Lifetimes
> ...............
> I use the same lifetime for ISAKMP and IPSec SAs. When the tunnel is
> first coming up, if an ISAKMP SA is successfully established, the IPSec
> SAs will be established shortly thereafter. The ISAKMP SA will be
> renewed just before expiration of the IPSec SAs. If the ISAKMP SA is not
> successfully renewed, then no renewal of the IPsec SAs shortly thereafter..
>
>
> Best regards,
> News Reader
>
>
> fahad wrote:
>> Hi
>>
>> Yes thats the point I wanted to tell---- If Isakmp & Ipsec SAs are
>> there & Phase1 rekey fails (due to shutdown or change in IP address)
>> before keepalive timeout then Keepalive timer will be deleted bcoz
>> there is no isakmp SA & Ipsec SA will be there till it rekeys & fails
>> to rekey. The same is the case with DPD also. The soluiton might be
>> that give Isakmp SA duration more than IPsec SA duration. No SAME
>> TIME this time.
>>
>> Regards
>>
>> Fahad
>>
>> On Mar 21, 2:27 am, News Reader <(E-Mail Removed)> wrote:
>>> You won't let go of the "same time", will you? ;>)
>>>
>>> Maybe this will help:
>>>
>>> I just examined the ISAKMP SA and IPSEC SAs on a router with the
>>> following commands:
>>>
>>> show crypto isakmp sa detail , note remaining lifetime and
>>> connection-id.
>>> show crypto ipsec sa detail , note remaining lifetime.
>>>
>>> I then cleared the existing ISAKMP SA with the following command:
>>>
>>> clear crypto isakmp <connection-id>
>>>
>>> I did the ISAKMP show command again to confirm that the ISAKMP SA had
>>> been cleared/deleted.
>>>
>>> I did the IPSEC show command again and found that the IPSec SAs
>>> continued to exist for the remainder of their lifetimes.
>>>
>>> This tells me that the two SA types are independent. The
>>> expiration/deletion of the ISAKMP SA did not result in the IPSec SAs
>>> being torn down.
>>>
>>> When the IPSec SAs were due to timeout, a new ISAKMP SA was created
>>> (phase 1), and then new IPSec SAs were created (phase 2).
>>>
>>> Best regards,
>>> News Reader
>>>
>>>
>>>
>>> fahad wrote:
>>>> Hi
>>>> Thanks for that link. By the way I gave 60 seconds SA duration just as
>>>> an example . Perhaps I was not able to phrase my statements
>>>> properly. The question is if I get 3rd keepalive & at the same time my
>>>> isakmp SA tears down will the ipsec SA should also tear down as I have
>>>> received 3rd keepalive or it should continue with the new Isakmp SA &
>>>> older ipsec sa. Of course now change isakmp duration to around 1500
>>>> sec
>>>> Regards
>>>> Fahad
>>>> On Mar 20, 12:39 am, News Reader <(E-Mail Removed)> wrote:
>>>>> fahad wrote:
>>>>>> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
>>>>>>> fahad wrote:
>>>>>>>> Hi
>>>>>>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
>>>>>>>> interval as 60 seconds. Now this side is not getting any keepalives
>>>>>>>> from anyother router, so will the phase 1 rekey, or due to
>>>>>>>> keepalive
>>>>>>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
>>>>>>>> features are not related & since I am not getting any keepalives
>>>>>>>> Phase
>>>>>>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
>>>>>>>> because keepalive timeout has occured.
>>>>>>>> Thanks
>>>>>>>> Fahad
>>>>>>> When you indicate a phase 1 rekey interval of 60 sec., I'm
>>>>>>> assuming you
>>>>>>> are referring to the ISAKMP policy command "lifetime".
>>>>>>> The default is likely once per day (86,400 sec.).
>>>>>>> You might want a lifetime of an hour (3600 sec.).
>>>>>>> Can't image why you would want such a short lifetime as 60 seconds.
>>>>>>> When do you plan to forward traffic, if all you are doing is
>>>>>>> building
>>>>>>> and tearing down SAs?
>>>>>>> Best regards,
>>>>>>> News Reader
>>>>>> Hi
>>>>>> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
>>>>>> ask is if I configure isakmp SA lifetime & isakmp sa keepalive
>>>>>> timeout
>>>>>> duration as SAME then will the isakmp & ipsec SAs will be deleted or
>>>>>> since rekey is happening so no need to delete the SAs as peer is
>>>>>> reachable. Note that I am not getting any keepalives from any
>>>>>> side. If
>>>>>> there is any rfc or draft for keepalives or heartbeat then plz let me
>>>>>> know. I know DPD but the behavior of keepalives is still not clear to
>>>>>> me
>>>>>> Thanks
>>>>>> Fahad
>>>>> Assuming I am correct that there is no reasonable circumstance for
>>>>> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
>>>>> important to you to know what would happen with such a configuration?
>>>>> The "crypto isakmp keepalive" command specifies the number of seconds
>>>>> between DPD (Dead Peer Detection) messages.
>>>>> When a crypto endpoint does not receive "three" keepalives in a row
>>>>> (3 x
>>>>> isakmp keepalive interval), it tears down the SAs.
>>>>> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
>>>>> around the time you would be receiving your first keepalive.
>>>>> You may want to consult the Cisco IOS Security Command Reference,
>>>>> Release 12.3 T
>>>>> http://www.cisco.com/en/US/docs/ios/.../reference/sec...
>>>>>
>>>>> If your next question is - what if I change the the "isakmp sa
>>>>> lifetime"
>>>>> to equal three times the "isakmp sa keepalive", I'm going to hang
>>>>> up on
>>>>> you. ;>)
>>>>> Best regards,
>>>>> News Reader- Hide quoted text -
>>>>> - Show quoted text -- Hide quoted text -
>>> - Show quoted text -

>>

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-22-2008
I think you need to be specific about which side of the tunnel (source
or destination) you are referring to when describing these events.

If the far side peer is shutdown or changes its IP address (the
scenarios you described) then you would no longer be receiving traffic
through the tunnel. Would you not expect to detect the absence of the
peer, and once detected, would you not delete the local ISAKMP and IPSec
SAs?

Also, I believe new ISAKMP SAs are established before the existing ones
expire.

Best regards,
News Reader


fahad wrote:
> Hi
>
> Yes thats the point I wanted to tell---- If Isakmp & Ipsec SAs are
> there & Phase1 rekey fails (due to shutdown or change in IP address)
> before keepalive timeout then Keepalive timer will be deleted bcoz
> there is no isakmp SA & Ipsec SA will be there till it rekeys & fails
> to rekey. The same is the case with DPD also. The soluiton might be
> that give Isakmp SA duration more than IPsec SA duration. No SAME
> TIME this time.
>
> Regards
>
> Fahad
>
> On Mar 21, 2:27 am, News Reader <(E-Mail Removed)> wrote:
>> You won't let go of the "same time", will you? ;>)
>>
>> Maybe this will help:
>>
>> I just examined the ISAKMP SA and IPSEC SAs on a router with the
>> following commands:
>>
>> show crypto isakmp sa detail , note remaining lifetime and connection-id.
>> show crypto ipsec sa detail , note remaining lifetime.
>>
>> I then cleared the existing ISAKMP SA with the following command:
>>
>> clear crypto isakmp <connection-id>
>>
>> I did the ISAKMP show command again to confirm that the ISAKMP SA had
>> been cleared/deleted.
>>
>> I did the IPSEC show command again and found that the IPSec SAs
>> continued to exist for the remainder of their lifetimes.
>>
>> This tells me that the two SA types are independent. The
>> expiration/deletion of the ISAKMP SA did not result in the IPSec SAs
>> being torn down.
>>
>> When the IPSec SAs were due to timeout, a new ISAKMP SA was created
>> (phase 1), and then new IPSec SAs were created (phase 2).
>>
>> Best regards,
>> News Reader
>>
>>
>>
>> fahad wrote:
>>> Hi
>>> Thanks for that link. By the way I gave 60 seconds SA duration just as
>>> an example . Perhaps I was not able to phrase my statements
>>> properly. The question is if I get 3rd keepalive & at the same time my
>>> isakmp SA tears down will the ipsec SA should also tear down as I have
>>> received 3rd keepalive or it should continue with the new Isakmp SA &
>>> older ipsec sa. Of course now change isakmp duration to around 1500
>>> sec
>>> Regards
>>> Fahad
>>> On Mar 20, 12:39 am, News Reader <(E-Mail Removed)> wrote:
>>>> fahad wrote:
>>>>> On Mar 19, 1:16 am, News Reader <(E-Mail Removed)> wrote:
>>>>>> fahad wrote:
>>>>>>> Hi
>>>>>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
>>>>>>> interval as 60 seconds. Now this side is not getting any keepalives
>>>>>>> from anyother router, so will the phase 1 rekey, or due to keepalive
>>>>>>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
>>>>>>> features are not related & since I am not getting any keepalives Phase
>>>>>>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
>>>>>>> because keepalive timeout has occured.
>>>>>>> Thanks
>>>>>>> Fahad
>>>>>> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
>>>>>> are referring to the ISAKMP policy command "lifetime".
>>>>>> The default is likely once per day (86,400 sec.).
>>>>>> You might want a lifetime of an hour (3600 sec.).
>>>>>> Can't image why you would want such a short lifetime as 60 seconds.
>>>>>> When do you plan to forward traffic, if all you are doing is building
>>>>>> and tearing down SAs?
>>>>>> Best regards,
>>>>>> News Reader
>>>>> Hi
>>>>> Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
>>>>> ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout
>>>>> duration as SAME then will the isakmp & ipsec SAs will be deleted or
>>>>> since rekey is happening so no need to delete the SAs as peer is
>>>>> reachable. Note that I am not getting any keepalives from any side. If
>>>>> there is any rfc or draft for keepalives or heartbeat then plz let me
>>>>> know. I know DPD but the behavior of keepalives is still not clear to
>>>>> me
>>>>> Thanks
>>>>> Fahad
>>>> Assuming I am correct that there is no reasonable circumstance for
>>>> setting "isakmp sa lifetime" to a value as small as 60 sec., why is it
>>>> important to you to know what would happen with such a configuration?
>>>> The "crypto isakmp keepalive" command specifies the number of seconds
>>>> between DPD (Dead Peer Detection) messages.
>>>> When a crypto endpoint does not receive "three" keepalives in a row (3 x
>>>> isakmp keepalive interval), it tears down the SAs.
>>>> You are tearing down the SAs due to the "isakmp sa lifetime" at, or
>>>> around the time you would be receiving your first keepalive.
>>>> You may want to consult the Cisco IOS Security Command Reference,
>>>> Release 12.3 T
>>>> http://www.cisco.com/en/US/docs/ios/.../reference/sec...
>>>> If your next question is - what if I change the the "isakmp sa lifetime"
>>>> to equal three times the "isakmp sa keepalive", I'm going to hang up on
>>>> you. ;>)
>>>> Best regards,
>>>> News Reader- Hide quoted text -
>>>> - Show quoted text -- Hide quoted text -

>> - Show quoted text -

>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vhdl coding for five phase svpwm for 5 phase stepper motor Keerthana Hardware 0 03-24-2012 06:06 AM
ike phase 1 lifetime, asa with netscreen Bart Cisco 1 06-11-2009 11:25 AM
Cisco VPN - IKE Phase 1 Question tnzaj6782 Cisco 0 03-02-2009 05:49 AM
4-phase vs. 2-phase handshaking Eli Bendersky VHDL 11 01-22-2008 02:26 PM
FreeSwan IPSEC to IOS 12.3 Rekey Issue Angie Cisco 1 11-16-2003 04:32 AM



Advertisments