12-06-2011 02:44 AM - edited 02-21-2020 05:45 PM
Hi
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
12-06-2011 04:27 AM
Hi,
From my experience, if you're connecting ASA with router, is't very important to have all settings configured same.
At first look, on UK side is PFS used, and on FR side I can't see it configured.
Also check defalut settings for lifetimes of IPSec on both sides (IKE seems to be ok, if tunnel goes up...).
BR
Pavel
12-06-2011 05:14 AM
hi pavel
sorry but what is PFS?
12-06-2011 06:14 AM
hi,
Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide