Re: VPN Lifetime Best Practices - What are your opinions....
Why we bother to change the user password in every 45 days or so? because our security policy say so for the real security reasons.
The same is with P1 and P2 SAs.
They are there for the security reasons.
If the man in the middle got the p2 key through brute force or someother means and if the p2 has been configured to not to rekey then you will loose the security of your entire session/lifetime of the VPN tunnel.
If P2 has been configured to rekey at specified intervals then you will loose the security for that session only. Because, the key is going to change for the next session; which can be difined based on the amount of traffic or time.
If the stress is on specified P2 rekey intervals then PFS should be used otherwise if the key mat is comprimised then there is no use of rekey. PFS maintains that to generate the new key the key mat (key generating material) should not be used if it has been already used thereby mainting the raw material unique to generate the key.
Cisco Routers uses independent SA for both P1 and P2 where as PIX uses chanelised SA. The difference in both is that the P2 sa is not tied to the isa sa in one and is tied to the P1 sa in another. Routers have independent P1 and P2 sa and that's the reason why you see the tunnel working even when there is no P1 sa. Opposite in PIXes.
Specification says that the lesser lifetime in any of the phases has to honored by the initiator/responder; however, this is where the different implemenations failed to bring up the tunnel; so, keep the lifetime same on both the sides.
My opinion is to leave them as it is if the other side is of the same breed and vendor otherwise match ON BOTH SIDES to whatever you security policy says.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :