Question about IPSEC

K

killerasp

Gawd
Joined
Jul 17, 2001
Messages
963
i am configuring an IPSEC tunnel on a cisco router and have a question about SA

if i set security-association lifetime to 3600 seconds, it will remove the SA after hitting this timer. But will it disconnect my peer?

Also, could someone explain to me, is the SA created during connection or everytime i need to open a new data pipe to request data from a server?
 
The peer should timeout when the SA lifetime exprires. I want to say there is a dead-peer-detection mechanizm that facilitates this, but don't quote me on that.

As for the SA creation, it should be per connection from host to host (ie a mini-tunnel). In theory all packets between the two are secured for the lifetime of the SA, regardless of how many connections you make between the two. So long as the traffic between the two is IPSec protected I would think you'd be fine. However, a second line of thinking raises the possiblity that each connection from host A to host B is its own IPSec protection pipe. For example, you define what traffic will be encrypted by the ACL, which leads me to believe its per service and/or destination.

In other words, I don't know. I justI hope my ramblings lead you in the right direction.

**Edit**
Woohoo!!! I was right, there is a Dead Peer Detection.
 
The SA renews as long as the peer is active and there has been no condition to cause the SA to be revoked. BobSutan is right, the DPD will check (the message is called a "DPD R U THERE?") to see if the host is still active and if not it will remove the SA.
 
Thanks guys.

I can see that my peer renewed the SA about 10 mins before the previous one was about to expire. awesome.
 
You must log in or register to reply here.
Back
Top