[ previous ] [ next ] [ threads ]
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX
 Date:  Thu, 28 Dec 2006 23:42:40 +0900
Why didnt I find this earlier!!!


All the answers you need!

-----Original Message-----
From: Daniele Guazzoni [mailto:daniele dot guazzoni at gcomm dot ch]
Sent: Thursday, 28 December 2006 10:38 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX

IPsec work in two phases:

during this phase the peers exchange the parameters, the policies and the
Each peer will check the identity of its peer-neighbor and negotiate all
If both peers can agree on a set of parameters and policy SA (Security
Association) are created.

This is the tunnel (or the transport) part of IPsec.
Phase-2 encrypt and encapsulate the payload into the tunnel.

What about lifetime:
Actually you run two set of keys, one for each phase.
The lifetime defines how often you re-exchange the keys.
Therefore asking for the "ideal" lifetime value is a matter of how secure
your tunnel has to be.
Of course short lifetime will increase the security as keys are often
changed but keep in mind that the process of generating, exchange and check
keys is also cpu intensive.

IPsec defines a framework of protocols to encrypt traffic but different
vendors applies also different "interpretation" of it.
Actually the negotiation part of phase-1 is not mandatory and a VPN endpoint
can quick-an-dirty reject non-matching peers.
The PIX does not like mismatching parameters and will either reject the
session or simply keep their parameters.
Depending on the PIX-OS release you will not get any IPsec or your tunnel
will breakdown as soon as one of the peers will initiate a rekey (since the
peer partner does not expect a rekey, based on its configured lifetime).

Hope this helps.


Jai Ketteridge wrote:
> Whats interesting is that a different PIX setup guide Ive seen says to set
> phase 1 to 28800? And the monowall setup says phase 2 to 14400. Its so
> confusing!
> en-ISA-Server-2006-Beta-Cisco-PIX-501.html
> Could someone please explain exactly what phase 1 is, exactly what timings
> are suitable, what phase 2 is and what timings are suitable!
> Thank you everybody!
> JK


Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA

Linux and AMD-x86_64 or do you still with Windows and Intel ?

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch