[vpn-help] Timeouts?
Igor Birman
igor_birman at yahoo.com
Sun Jul 11 07:22:29 CDT 2010
Great answer, thanks!
Igor
________________________________
From: Matthew Grooms <mgrooms at shrew.net>
To: Igor Birman <igor_birman at yahoo.com>
Cc: vpn-help at lists.shrew.net
Sent: Sat, July 10, 2010 10:58:04 PM
Subject: Re: [vpn-help] Timeouts?
On 7/9/2010 4:53 PM, Igor Birman wrote:
> Can someone explain timeouts with ShrewSoft VPN Client and Juniper SSG
> Routers? My goal is to set it up so it basically never times out - once
> a user signs on I want them to stay signed on until they reboot their
> computer.
>
> In Shrew Soft, I have a Key Life Time limit of 86400 seconds for Phase
> 1, and 3600 seconds for phase 2, but I am not sure what that means -
> will it time out after 24 hours, or will it stay connected?
>
> On the SSG, the P1 proposal is set to 28800, and the P2 life time is
> 3600, but again, I am not sure what that means.
>
Hi Igor,
The most important thing to remember is that the IKSAMP SA lifetime ( phase1
rekey time ) and the IPsec SA lifetime ( phase2 rekey time ) need to match on
both the gateway and the client. If they both match, new SAs should be
re-negotiated as needed with no packet loss. You can think of ISAKMP as the
control channel and IPsec as the data channel. IKE ( internet key exchange ) is
a protocol standard that wraps the ISAKMP specification.
The slightly longer answer is that ISAMP SA key material is used to protect IKE
conversation. That is, the conversation that handles peer and user
authentication, client configuration ( if applicable ), IPsec SA negotiation,
notification messages, etc. IPsec SA key material is used to protect IP traffic
between the two peers ( packets that match IPsec security policies ). Both types
of SAs could potentially use a different set of security parameters ( ciphers,
message authentication algorithms, etc ) which is why two separate proposal
definitions ( phase1 and phase2 ) are required. Traditionally, a lot less
traffic is passed during an IKE conversation which is why the lifetime is
usually longer ( 24h vs 1h by default ). DH Exponentiation ( used to derive key
material ) is a CPU intensive operation, so it makes sense that you use one
parent SA to securely build lots of additional SA key material. PFS ( or perfect
forward security ) is a phase2 option that forces a new DH Exponentiation for
each new SA negotiation. In other words, its a bit more secure but takes more
CPU cycles.
In any case, there are no messages exchanged between peers when an SA expires.
That's why its important to make sure the lifetime matches on both ends.
Otherwise when an SA is expired by one peer, the other peer may still attempt to
use that SA to protect an important message or IPsec traffic. When this happens,
communication obviously breaks down.
Hope this helps,
-Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100711/45ef838b/attachment-0001.html>
More information about the vpn-help
mailing list