LevelOne GBR-4001 User Manual page 143

When both communication parties establish an authenticated secure channel, the second phase
will continue to be implemented, and in this phase, IPSec SA will be negotiated to protect user
data to be transmitted through the IPSec tunnel.
Similar to the process of the first phase, both parties exchanged proposals to determine the
security parameters used in the SA. The second-phase proposal also includes a security protocol
(the device currently supports ESP) and the selected encryption and authentication algorithms.
Regardless of the mode used in the first stage, the second stage is always operated in the "fast"
mode, and includes the exchange of three messages.
II. Maintenance of security alliances
Once the SA establishment is complete, both parties of IPSec SA must also maintain SA, to ensure
that SA is secure and effective. IPSec SA test the effectiveness of SA with the following methods:
1. SA survival time
In the establishment of SA negotiation, the two parties will negotiate the SA's survival time, when
such time reaches the pre-set value, the renegotiation is required to establish a new SA. Periodic
renegotiation is equivalent to change of passwords on a regular basis.
In the WEB UI mode, you can configure the "Survival time" and "Maximum flow" in the
"Advanced options" of VPN configuration -> IPSec
The efficiency of data transfer will be lowered due to the frequent rebuilding SA that needs to
consume large amounts of system resources (mainly DH exchanges and generation of current
numbers). So the survival time of SA is usually set to relatively long (1 hour to 1 day typically).
Within the validity period, the two communicating parties can only "assume" that the other party
works normally since they cannot detect each other (similar to the PING function), and in case a
party has a foreseeable problem or the network connecting both of them has fault, the other party
does not know that the connection line between them is interrupted, and will continue to send data
to the other party that does not exist, thus causing a false connection (SA is normal and sends data
normally, but is unable to complete the two-way communications), so there must be an effective
way to detect that both parties participating in the IPSec SA are fully functional, and the network
connection between them is completely normal. The overhead of this testing method is less than
that for renegotiating the IPSec SA, so a higher density can be used for test. This technology is
IPSec "DPD", which exists as a complement to SA negotiation.
2. DPD (Dead Peer Detect)
IPSec DPD regularly detects SA to find out whether the other party still exists. Within the survival
time and maximum flow range of SA, it regularly detects if the other's network is reachable, and
the program is normal, so as to find out communications faults caused by network changes or
avoid to keep SA with a "Mars people" host that already does not exist. This detection cycle is
usually 20 seconds or 1 minutes around, and both parties can detect the other party by sending a
"heartbeat" packet. After continuously losing multiple heartbeat packets, IPSec DPD will forcibly
initiate a SA negotiation again.
http://www.level1.com
.
Chapter 12 VPN
Page 138