One IPsec tunnel and no ISAKMP tunnel.

After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
IPsec tunnel but no ISAKMP/IKE tunnel!

How can this happen?

Is there anybody who can explain me this?

Thanks,

Alex.

 

:After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
:IPsec tunnel but no ISAKMP/IKE tunnel!

:How can this happen?

I rarely use PDM, so I am not very familar with it. It could be
anywhere from a bug to the fact that there is no way from the
command line to display isakmp tunnel count information.

BTW, you have not mentioned which software version you are running
on your new 525.

 

6.3(4) e PDM 3.02
Alex

 

If the IKE tunnel times out/tears down, it will not be rebuilt until the
IPSEC tunnel needs to rekey. For example, if you have a fuctioning
tunnel up, you can clear the isakmp tunnel and traffic will still pass.

Rik

 

Thanks Rik. Have you any link/document that talk about this? I thought the IPsec tunnel was needed a ISAKMP tunnel to
work properly.It means I have not deeply understood VPN building process at all.

Alex.

 

Sorry, I dont have any docs that explicitly specify this behavior; it is
just just something I have observed in practice.

Rik Bain

 

[CUT]

IPsec and ISAKMP are not fully correlated, IPSEC can run without
ISAKMP, for example with pre-defined keys or home made key exchange
protocol.

Depending on implementation, the ISAKMP daemon monitors SPD database
for needed entries (non existing or dying) and negociate new key and
parameters for SPD. If the SA is not establish to negociate keys, a
new one is started with an authentication phase. The Lifetime
negociated will determine the duration of what you called ISAKMP
tunnel which is not linked to the lifetime of the SPD (IPsec tunnel).

Since SA creation can be complex (ie certification validation),
lifetime needs to be adapted to IPSEC tunnel lifetime. For example, if
tunnel keys are changed every 5 minutes, ISAKMP association needs
probably to stay up, for a change every 6/12 hours, the SA can be
renegociated without generating to much load.

For reference:
- IPSEC charter: http://www.ietf.org/html.charters/ipsec-charter.html
- ISAKMP: http://www.ietf.org/rfc/rfc2407.txt

Regards, Alex.

 

Hi Alex,

Thanks so much for the explanation, I had faced the same situation that the ISAKMP Secured Channel is guarenteed down, while The inbound IPsec and the outbound IPsec SA's are still up. However, I wonder if you have any site prove your explanation, I have been trying to connect to the first site but every time I get no page found , and when I opened the second one I have not found explanation for that.

I am waiting for your reply and I really appreciate your assistance.

Thank you very much.