One IPsec tunnel and no ISAKMP tunnel.

Discussion in 'Cisco' started by AM, Dec 29, 2004.

  1. AM

    AM Guest

    After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
    IPsec tunnel but no ISAKMP/IKE tunnel!

    How can this happen?

    Is there anybody who can explain me this?

    Thanks,

    Alex.
     
    AM, Dec 29, 2004
    #1
    1. Advertisements

  2. :After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
    :IPsec tunnel but no ISAKMP/IKE tunnel!

    :How can this happen?

    I rarely use PDM, so I am not very familar with it. It could be
    anywhere from a bug to the fact that there is no way from the
    command line to display isakmp tunnel count information.

    BTW, you have not mentioned which software version you are running
    on your new 525.
     
    Walter Roberson, Dec 29, 2004
    #2
    1. Advertisements

  3. AM

    AM Guest

    6.3(4) e PDM 3.02
    Alex
     
    AM, Dec 29, 2004
    #3
  4. AM

    Rik Bain Guest

    If the IKE tunnel times out/tears down, it will not be rebuilt until the
    IPSEC tunnel needs to rekey. For example, if you have a fuctioning
    tunnel up, you can clear the isakmp tunnel and traffic will still pass.

    Rik
     
    Rik Bain, Dec 29, 2004
    #4
  5. AM

    AM Guest

    Thanks Rik. Have you any link/document that talk about this? I thought the IPsec tunnel was needed a ISAKMP tunnel to
    work properly.It means I have not deeply understood VPN building process at all.

    Alex.
     
    AM, Dec 30, 2004
    #5
  6. AM

    Rik Bain Guest

    Sorry, I dont have any docs that explicitly specify this behavior; it is
    just just something I have observed in practice.

    Rik Bain
     
    Rik Bain, Jan 2, 2005
    #6
  7. AM

    Alex Chauvin Guest

    [CUT]
    IPsec and ISAKMP are not fully correlated, IPSEC can run without
    ISAKMP, for example with pre-defined keys or home made key exchange
    protocol.

    Depending on implementation, the ISAKMP daemon monitors SPD database
    for needed entries (non existing or dying) and negociate new key and
    parameters for SPD. If the SA is not establish to negociate keys, a
    new one is started with an authentication phase. The Lifetime
    negociated will determine the duration of what you called ISAKMP
    tunnel which is not linked to the lifetime of the SPD (IPsec tunnel).

    Since SA creation can be complex (ie certification validation),
    lifetime needs to be adapted to IPSEC tunnel lifetime. For example, if
    tunnel keys are changed every 5 minutes, ISAKMP association needs
    probably to stay up, for a change every 6/12 hours, the SA can be
    renegociated without generating to much load.

    For reference:
    - IPSEC charter: http://www.ietf.org/html.charters/ipsec-charter.html
    - ISAKMP: http://www.ietf.org/rfc/rfc2407.txt

    Regards, Alex.
     
    Alex Chauvin, Jan 2, 2005
    #7
  8. AM

    kh_alex81

    Joined:
    Jul 19, 2007
    Messages:
    1
    Likes Received:
    0
    Hi Alex,

    Thanks so much for the explanation, I had faced the same situation that the ISAKMP Secured Channel is guarenteed down, while The inbound IPsec and the outbound IPsec SA's are still up. However, I wonder if you have any site prove your explanation, I have been trying to connect to the first site but every time I get no page found , and when I opened the second one I have not found explanation for that.

    I am waiting for your reply and I really appreciate your assistance.

    Thank you very much.
     
    kh_alex81, Jul 19, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.