Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

IPSec CA Mode + NTP = Interoperability

Hello Experts,

We have an Customer connected in HUB & SPOKE Method (around 700+ Locations). The IPSec is established between the HUB & Spoke Locations ie., All SPOKE Locations will establish IPSec Peer with the HUB.

Few locations are running with CA - Certificate Authentication Mechanism and few are in Pre-Shared Mechanism.

Question:

=========

Locations that are running in CA - Certificate Authentication Mechanism are mandatory to run with "NTP" Configured ?

Because we have seen in Many Locations if the "NTP" is not synchronised (at Spoke) means the "IPSec Peer" is not coming Up. Once the NTP is configured and Synchroized the IPSec session will be Up.

Note: The Peer is also NTP Configured.

Is there any "Interoperability" defined between the IPSec CA Mode & NTP. ie., if CA Method is used in IPSec means whether NTP also to be configured as must and the time to be synchronised between the Peer & the Spoke Location ?

Another Question:

=================

If i configure my HUB Router as the Central NTP Server for the SPOKE Locations where the HUB Router will receive the NTP Details from some of the Internet NTP Server.

Whether it is possible to use the same "IPSec Peer" IP @ Address as the NTP Server IP for the Spoke Locations ?

Thanks in Advance for your Help

Best Regards,

Guru Prasad R

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: IPSec CA Mode + NTP = Interoperability

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: IPSec CA Mode + NTP = Interoperability

Hello,

question 1)

yes certificates are time bounded so the ipsec peers need to be synchronized and ntp is the best way to do it.

question 2) ntp has to work before the ipsec tunnel is formed so using the external/public ip address is a viable choice to build an ntp relationship

hope to help

Giuseppe

Re: IPSec CA Mode + NTP = Interoperability

HI Giuseppe,

Your POST was informative.

Thanks,

Guru Prasad R

219
Views
0
Helpful
2
Replies