We have an Customer connected in HUB & SPOKE Method (around 700+ Locations). The IPSec is established between the HUB & Spoke Locations ie., All SPOKE Locations will establish IPSec Peer with the HUB.
Few locations are running with CA - Certificate Authentication Mechanism and few are in Pre-Shared Mechanism.
Locations that are running in CA - Certificate Authentication Mechanism are mandatory to run with "NTP" Configured ?
Because we have seen in Many Locations if the "NTP" is not synchronised (at Spoke) means the "IPSec Peer" is not coming Up. Once the NTP is configured and Synchroized the IPSec session will be Up.
Note: The Peer is also NTP Configured.
Is there any "Interoperability" defined between the IPSec CA Mode & NTP. ie., if CA Method is used in IPSec means whether NTP also to be configured as must and the time to be synchronised between the Peer & the Spoke Location ?
If i configure my HUB Router as the Central NTP Server for the SPOKE Locations where the HUB Router will receive the NTP Details from some of the Internet NTP Server.
Whether it is possible to use the same "IPSec Peer" IP @ Address as the NTP Server IP for the Spoke Locations ?
Thanks in Advance for your Help
Guru Prasad R
yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.
question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship
hope to help