Fwd: [fw-wiz] LAN-LAN VPN using PIXes and a dialup connection
From: Stefan Pantke (seaside.ki_at_mac.com)
To: email@example.com Date: Sat, 26 Jun 2004 12:42:13 +0200
Am 25.06.2004 um 20:27 schrieb Dave Piscitello:
> At 04:56 PM 6/25/2004 +0200, you wrote:
>>> Port 50/TCP is remote mail checking protocol. Are you using this?
>> No, I meant IP protocol 50.
> Won't this trigger a connection if you are periodically checking mail?
No. IP protocol 50 is ESP, securely encapsulated payload.
I will check if email checking is enabled, but most likely, this
is not the case.
> I don't use this protocol so I'm not certain, but on many VPN
> implementations any traffic to a non-local destination will trigger a
> switched/dialup connection and consequent IKE exchange (if tunnel is
> not active).
>>> Depending on your session duration parameter, IKE will refresh keys
>>> (according to your security policy) So I'd check this value?
>> IKE lifetime 8 hours
>> VPN lifetime 5 minutes - to not force the line to be kept open
> I think this might be your problem. I don't believe cisco's
> implementation correlates IPsec SA and dialup status. With your
> 5 minute IPsec SA lifetime, you have told the PIX, "refresh the IPsec
> SA keys every 5 minutes", then it may do so irrespective of whether
> you have an ISDN or dialup connection in the "disconnected" state.
This is a new config to check, if things change.
Regarding IKE lifetime, this is documented:
IPSec negotiation can be broken down into five steps, including two
Internet Key Exchange (IKE) phases.
1. An IPSec tunnel is initiated by interesting traffic. Traffic is
considered interesting when it is traveling between the IPSec peers.
2. In IKE Phase 1, the IPSec peers negotiate the established IKE
Security Association (SA) policy. Once the peers are authenticated, a
secure tunnel is created using Internet Security Association and Key
Management Protocol (ISAKMP).
3. In IKE Phase 2, the IPSec peers use the authenticated and secure
tunnel to negotiate IPSec SA transforms. The negotiation of the shared
policy determines how the IPSec tunnel will be established.
4. The IPSec tunnel is created and data is transferred between the
IPSec peers based on the IPSec parameters configured in the IPSec
5. The IPSec tunnel terminates when the IPSec SAs are deleted or when
their lifetime expires.
> Try raising your IPsec SA lifetime to 1 hour to see if you eliminate
> the dial. If so, then look up how you can set an auto dial capability
> on your ISDN line to only keep the line up when idle for 5 minutes.
The lifetime was before this change 8 hours - and PIX was dialing.
>> Currently my main question is this:
>> - Is a CISCO PIX based IPsec VPN supposed to keep the outside
>> quiet as long as no new traffic arrives?
> I recall there's an ISO command that says what traffic initiates an
> outgoing call but I do not recall the command itself.
Yes, a filter might be required, if some interesting traffic is really
injected from the LAN to the PIX.
firewall-wizards mailing list