No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ – when will the firewall take down the IPSec VPN tunnel under normal circumstance?

Publication Date:  2012-11-26 Views:  50 Downloads:  0
Issue Description
Q:
When will the firewall take down the IPSec VPN tunnel under normal circumstance?
Alarm Information
None.
Handling Process
A:
IPSec VPN has two stages, both of which have Security alliance survival period SA (Security Association) lifetime concept.
SA lifetime can use time or flow calculate, lifetime includes hard lifetime and soft lifetime, when the hard lifetime expires, SA will be deleted. When soft lifetime expires, it will renegotiate automatically to avoid hard lifetime expire. The soft lifetime of Eudemon is equal to 90% of the hard lifetime.
Phase 1 SA hard lifetime overtime will delete Phase 1 SA, if Phase 2 SA has been established, then it will also delete Phase 2 SA at the same time.

Because RFC doesn’t detail definite the format and content of IKE SA Keepalive message, only has the draft description, therefore the realizations between each manufacturers are not the same. When interconnecting IPSec VPN with different manufacturers, we shall ensure that both sides haven’t configured IKE SA Keepalive.
Phase 2 SA hard lifetime overtime will delete Phase 1 SA and Phase 2 SA at the same time.
The command line of SA lifetime in Eudemon(can only configure hard lifetime):
IKE Phase 1:
sa duration interval (1800s - 604800s, 86400s as default)
undo sa duration
IKE Phase 2:
sa duration { traffic-based kilobytes (8000 - 4194303) | time-based interval (480s - 604800s, 3600s as default) }
undo sa duration { traffic-based | time-based }
display ike sa
connection-id    peer          flag        phase   doi
  --------------------------------------------------------------
25                  1.1.1.2      RD          1        IPSEC
26                  1.1.1.2      FD          2        IPSEC
FD (FADING): it means soft lifetime has already timeout, it will be deleted if it hasn’t renegotiated successfully before hard lifetime expired.
In addition, it will also delete tunnel when IKE SA Keepalive timeout

IPSec protocol message does not use of reliable connection of TCP, if peer end IPSec equipment failed, it won’t be deleted until SA lifetime timeout, at this time there is routing black holes problem. In the draft RFC “draft-ietf-ipsec-heartbeats-00.txt” suggests using “IKE SA Keepalive” solve this problem.
The interval time of “Eudemon Ike sa keepalive-timer interval” is 20 seconds by default, “ike sa keepalive-timer timeout” is 60 seconds, namely the “IPSec VPN tunnel” will be deleted if hasn’t received keepalive message in a minute.
display ike sa
connection-id    peer          flag        phase   doi
  --------------------------------------------------------------
25                  1.1.1.2      TO          1        IPSEC
26                  1.1.1.2      RD          2        IPSEC
TO (TIMEOUT): namely the SA hasn’t received keepalive message within the prescribed time, if hasn’t received keepalive message before “keepalive timeout” expires, the SA will be deleted.
Root Cause
None.
Suggestions
None.

END