Huawei AR28-31 router is creating IPsec tunnel with Check Point VPN-1(TM) & FireWall-1(R) NGX (R61) HFA_01, Hotfix 601 - Build 012.
Isakmp is used for tunnel creation. IKE connection is passed with no problems but when the IPsec SA are being changed the Check point device is dropping the SA packets from AR28-31. Log from the check point device is attached.
Renegotiation of IPsec SA was changed to 3600s (which is a default value of AR28-31). The problem is that the the checkpoint device accepts only this criteria for IPsec renegotiation but the AR device uses also default traffic-based SA renegotiation parameter.
Huawei Versatile Routing Platform Software
VRP software, Version 3.40, Release 0201P29
Copyright (c) 1998-2008 Huawei Technologies Co., Ltd. All rights reserved.
Without the owner's prior written consent, no decompiling
nor reverse-engineering shall be allowed.
Quidway AR28-31 uptime is 12 weeks, 6 days, 15 hours, 20 minutes
Last reboot 2009/07/24 18:15:24
System returned to ROM By <Reboot> Command.
CPU type: PowerPC 8245 300MHz
128M bytes SDRAM Memory
32M bytes Flash Memory
128K bytes NvRAM Memory
[SLOT 0] 2FE (Hardware)3.1, (Driver)2.0, (CPLD)0.0
ike proposal 3
sa duration 7200
ike peer 3
ipsec proposal 3
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy 1 30 isakmp
security acl 3007
Two possible solutions can be used:
1)If it is necessary to use time-based parameter, set the other one to the highest possible value, thus ensuring that the time-based parameter will expire first. For traffic-based parameter the solution is similar.
2) Do not use ISAKMP mode at all and create the IPsec tunnel by defining its properties manually. In this mode the duration fo the tunnel is irrelevant as the rekeying is not done here.
AR router does not provide the possibility to use only one parameter for IPsec SA duration, i.e. both traffic-based and time-based parameters will be used to determine the duration of the SA.
AR router will select the one that will expire sooner.