2.Whether SA will reset earlier if we have set an idle timeout for VPN tunnel.I mean if the VPN tunnel is idle for some amount of Time and if I have set the idletime out to be less than SA reset time..then will it wait for SA to reset OR the tunnel will get disconnected once the Idletime is reached.
1) The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely. IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity). After deciding on the algorithms, the two devices must share session keys. As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session.
2) Lifetime of a Security Association: a time interval after
which an SA must be replaced with a new SA (and new SPI) or
should occur. This may be expressed as a time or byte count,
or a simultaneous use of both, the first lifetime to expire
taking precedence. Both initiator and responder are responsible for
OK - in my original post there is a line that says "After deciding on the algorithms, the two devices must share session keys." So the SA keep a record of the session keys. The session keys are the ENCRYPTION KEYS, the encryption keys are used by both ends to encrypt and decrypt the VPN over the insuecure medium, the internet.
Just imagine if your SA never timed out - and the sessions keys stayed the same for ever. What if you used a weak encryption method or a hacked hash method to neogtiate the keys. To add to that just say that a man in the middle attack on your VPN connection at start up was performed and the encrypte keys were captured in transit.
This now means that a hacker has all the time in the world to crack the session encryption keys and get access to your network.
So apart from keeping track of all the keys, settings and timers etc. The SA offers an extra layer of security ensuring the encryption keys are renegotiated in a time period to make sure the VPN stays secure.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :