Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec tunnel going down at specific times

Hi

i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.

I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.

  • VPN
3 REPLIES
New Member

IPsec tunnel going down at specific times

Hi,

From my experience, if you're connecting ASA with router, is't very important to have all settings configured same.

At first look, on UK side is PFS used, and on FR side I can't see it configured.

Also check defalut settings for lifetimes of IPSec on both sides (IKE seems to be ok, if tunnel goes up...).

BR

Pavel

New Member

IPsec tunnel going down at specific times

hi pavel

sorry but what is PFS?

New Member

IPsec tunnel going down at specific times

hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

HTH

428
Views
0
Helpful
3
Replies