IPSec CA Mode + NTP = Interoperability

Answered Question
May 6th, 2008

Hello Experts,

We have an Customer connected in HUB & SPOKE Method (around 700+ Locations). The IPSec is established between the HUB & Spoke Locations ie., All SPOKE Locations will establish IPSec Peer with the HUB.

Few locations are running with CA - Certificate Authentication Mechanism and few are in Pre-Shared Mechanism.

Question:

=========

Locations that are running in CA - Certificate Authentication Mechanism are mandatory to run with "NTP" Configured ?

Because we have seen in Many Locations if the "NTP" is not synchronised (at Spoke) means the "IPSec Peer" is not coming Up. Once the NTP is configured and Synchroized the IPSec session will be Up.

Note: The Peer is also NTP Configured.

Is there any "Interoperability" defined between the IPSec CA Mode & NTP. ie., if CA Method is used in IPSec means whether NTP also to be configured as must and the time to be synchronised between the Peer & the Spoke Location ?

Another Question:

=================

If i configure my HUB Router as the Central NTP Server for the SPOKE Locations where the HUB Router will receive the NTP Details from some of the Internet NTP Server.

Whether it is possible to use the same "IPSec Peer" IP @ Address as the NTP Server IP for the Spoke Locations ?

Thanks in Advance for your Help

Best Regards,

Guru Prasad R

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 8 years 7 months ago

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 05/06/2008 - 13:44

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

Actions

This Discussion