Table of Contents
Advertisement
UTT Technologies
negotiate a lifetime for each SA. If an SA is nearing the end of the lifetime, the endpoints
must negotiate and create a new SA and use it instead. The SA lifetime specifies how
often each SA should be renegotiated, either based on elapsed time or the amount of
network traffic.
In the Web UI, you can go to the VPN > IPSec > IPSec Settings page to click the Advanced Options
hyperlink to configure the lifetime of IKE SA by the parameter Time Lifetime (Phase 1), and configure
the lifetime of IPSec SAs by the parameters Time Lifetime (Phase 2) and Data Lifetime (Phase 2)
(section 6.1.2.2).
Reducing the lifetime forces the IPSec endpoints to renegotiate the SAs more frequently.
This frequent renegotiation improves security, but at the expense of higher CPU utilization
and possible delays during the renegotiation process. Therefore, the SA lifetime is often
set to a relatively long time (the suggested value is between 1 and 24 hours). Because
there is no way for the IPSec endpoints to identify the loss of peer connectivity, the SAs
can remain until their lifetimes naturally expire, and each endpoint assumes that its peer is
available before their SAs expire. Then, if the connectivity between the two endpoints
goes down unexpectedly due to routing problems, system rebooting, etc., one endpoint
still continues to send the packets to its peer until the SAs expire; this results in a false
connection (SAs are normal, but the tunnel is disconnected) where packets are tunneled
to oblivion. Therefore, it is necessary that either endpoint can detect a dead peer as soon
as possible; a method called Dead Peer Detection (DPD) is used to achieve this purpose.
DPD has smaller cost than SA renegotiation, so it is always performed at a higher
frequency.
2. DPD (Dead Peer Detect)
Dead Peer Detection (DPD) is a traffic-based method of detecting a dead IKE peer. DPD
allows an endpoint to prove its peer's liveliness periodically. This can help the endpoint to
avoid a situation where it sends IPSec packets to a peer that is no longer available
("Martian" host). After DPD is enabled, the endpoint periodically sends DPD heartbeat
messages at the specified time interval (usually 20 seconds or about 1 minute) to the peer
to verify its availability. After missing several consecutive heartbeat messages, the
endpoint will renegotiate the SAs with the peer.
In the Web UI, you can go to the VPN > IPSec > IPSec Settings page to click the Advanced Options
hyperlink to select the DPD check box to enable DPD feature, and configure the parameter Heartbeat
Interval to specify a time interval at which the UTT VPN gateway periodically sends DPD heartbeat
messages to the peer to verify its availability (section 6.1.2.2).
9.5.1.6 IPSec Tunnel Establishment Process
When used in context with IPSec, the initiator refers to the IPSec endpoint that initiates
IKE negotiation, and the responder refers to the IPSec endpoint that responds to incoming
IKE request.
IPSec works in peer-to-peer mode, where either endpoint of an IPSec tunnel can act as
http://www.uttglobal.com
Chapter 10 VPN
Page
18318318
Hide quick links:
Advertisement
Table of Contents
