UTT Technologies VPN Menu
http://www.uttglobal.com Page 173
DH Group 5: 1536-bit modulus
Note: Both endpoints of an IPSec tunnel should use the same DH group because
each group has a different size modulus.
2) IKE Phase 2
Once an IKE SA is established successfully in phase 1, the two IPSec endpoints will
use it to negotiate IPsec SAs in phase 2. The IPSec SAs are used to secure the user
data to be transmitted through the IPSec tunnel.
During IKE Phase 2, the two IPSec endpoints also exchange security proposals to
determine which security parameters to be used in the IPSec SAs. A phase 2 proposal
consists of one or two IPSec security protocols (either ESP or AH, or both), the
encryption and/or authentication algorithms used with the selected security protocol.
IKE phase 2 has one mode, which is called
Quick Mode. Quick mode uses three
messages to establish IPSec SAs.
13.3.3 Maintain Security Associations (SAs)
After the SAs have been established, the two IPSec endpoints should maintain the
SAs to ensure that the SAs are secure and available. IPSec provides the following
methods to maintain and detect SAs.
1) SA Lifetime
During IKE and IPSec SAs negotiation and creation, the two IPSec endpoints also
negotiate a lifetime for each SA. If an SA is nearing the end of the lifetime, the
endpoints must negotiate and create a new SA and use it instead. The SA lifetime
specifies how often each SA should be renegotiated, either based on elapsed time or
the amount of network traffic.
Reducing the lifetime forces the IPSec endpoints to renegotiate the SAs more
frequently. This frequent renegotiation improves security, but at the expense of higher
CPU utilization and possible delays during the renegotiation process. Therefore, the
SA lifetime is often set to a relatively long time (the suggested value is between 1 and
24 hours). Because there is no way for the IPSec endpoints to identify the loss of peer
connectivity, the SAs can remain until their lifetimes naturally expire, and each
endpoint assumes that its peer is available before their SAs expire. Then, if the
connectivity between the two endpoints goes down unexpectedly due to routing
problems, system rebooting, etc., one endpoint still continues to send the packets to
its peer until the SAs expire; this results in a false connection (SAs are normal, but the
tunnel is disconnected) where packets are tunneled to oblivion. Therefore, it is
necessary that either endpoint can detect a dead peer as soon as possible; a method
called Dead Peer Detection (DPD) is used to achieve this purpose. DPD has smaller
cost than SA renegotiation, so it is always performed at a higher frequency.
2) DPD (Dead Peer Detect)
To Next Page
Loading...
