cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
0
Helpful
2
Replies

IPSec CA Mode + NTP = Interoperability

guruprasadr
Level 7
Level 7

Hello Experts,

We have an Customer connected in HUB & SPOKE Method (around 700+ Locations). The IPSec is established between the HUB & Spoke Locations ie., All SPOKE Locations will establish IPSec Peer with the HUB.

Few locations are running with CA - Certificate Authentication Mechanism and few are in Pre-Shared Mechanism.

Question:

=========

Locations that are running in CA - Certificate Authentication Mechanism are mandatory to run with "NTP" Configured ?

Because we have seen in Many Locations if the "NTP" is not synchronised (at Spoke) means the "IPSec Peer" is not coming Up. Once the NTP is configured and Synchroized the IPSec session will be Up.

Note: The Peer is also NTP Configured.

Is there any "Interoperability" defined between the IPSec CA Mode & NTP. ie., if CA Method is used in IPSec means whether NTP also to be configured as must and the time to be synchronised between the Peer & the Spoke Location ?

Another Question:

=================

If i configure my HUB Router as the Central NTP Server for the SPOKE Locations where the HUB Router will receive the NTP Details from some of the Internet NTP Server.

Whether it is possible to use the same "IPSec Peer" IP @ Address as the NTP Server IP for the Spoke Locations ?

Thanks in Advance for your Help

Best Regards,

Guru Prasad R

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

HI Giuseppe,

Your POST was informative.

Thanks,

Guru Prasad R

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco