IPsec tunnel going down at specific times

seanbakers · ‎12-06-2011

Hi

i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.

I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.

Pavel Pokorny · ‎12-06-2011

Hi,

From my experience, if you're connecting ASA with router, is't very important to have all settings configured same.

At first look, on UK side is PFS used, and on FR side I can't see it configured.

Also check defalut settings for lifetimes of IPSec on both sides (IKE seems to be ok, if tunnel goes up...).

BR

Pavel

seanbakers · ‎12-06-2011

hi pavel

sorry but what is PFS?

Pavel Pokorny · ‎12-06-2011

hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

HTH