4 Replies Latest reply on Jun 9, 2017 8:13 AM by jayh

    IPsec VPN

    naff New Member

      Hi Guys,

       

      I am currently having an issue with my IPsec VPN between a Netvanta 1335 and Netvanta 2400. I have few phones that are sitting behind the Netvanta 1335 and a PBX server sitting behind the Netvanta 2400. The communication between the phones and the PBX is over the IPsec VPN. For some weird reason the phones randomly getting disconnected from the PBX system every time I received below notification.

       

      CRYPTO_IKE: id=vpn time="2016-05-17 16:00:35" fw=XXXXXXX pri=6 proto=esp src=X.X.X.X dst=X.X.X.X vpn=1-1 type=1 msg="SA Soft Life Time Finished - Renegotiation starts - SPI 0x8a96222c, Remote ID XXXXXX agent=IPsec

       

      I would highly appreciate if someone could explain/give some information on what the notification means.

       

      For clarity, topology looks like this:

      Phones -> Netvanta1335 -> IPsec->Netvanta2400 ->PBX system.

       

       

      Thanks!

      Naf

        • Re: IPsec VPN
          dayo76 New Member

          Looks like a timeout for the VPN tunnel. Can you please show both peer settings without IP's?

            • Re: IPsec VPN
              naff New Member

              Hi Dayo76,

               

              Thanks for the reply. Please see below IPsec configs for both sites.

               

              Netvanta 1335 (remote-site):

              !

              crypto ike policy 100

                initiate aggressive

                respond anymode

                local-id fqdn [Local-ID]

                peer X.X.X.X

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

                  lifetime 86400

              !

              crypto ike remote-id fqdn [hub site local-id] preshared-key [KEY] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              !

              ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              ip crypto map VPN 10 ipsec-ike

                match address ip NO-NAT

                set peer X.X.X.X

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 100

              !

               

              ###############################################

              Netvanta 2400 (Hub-site):

              !

              crypto ike policy 101

                no initiate

                respond anymode

                local-id fqdn [Local-ID]

                peer any

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

                  lifetime 86400

              !

              crypto ike remote-id fqdn [remote site local-id] preshared-key [key] ike-policy 101 crypto map VPN 1530 no-mode-config no-xauth

              !

              crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              crypto map VPN 1530 ipsec-ike

                description *******

                match address [ACL]

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 101

              !

               

              ########################################

               

              The configured lifetime for the IKE is 24hours. The notification happens randomly everyday. Sometimes it happens within 12 hours of the configured lifetime, sometimes 8 hours.

              Is there a way to monitor IPsec via snmp?

                • Re: IPsec VPN
                  mick Visitor

                  I don't have an answer for your problem, but the message you posted shows a normal renegotiation of keys for the IPSec tunnel between the two VPN peers.  It is set at 28,800sec (8 hours) by default and a few minutes in advance of this interval new keys are exchanged, before the old keys are dropped.  This is transparent to traffic flowing through the tunnel and shouldn't really affect the phone sessions.

                  --

                  Regards,

                  Mick

              • Re: IPsec VPN
                jayh Hall_of_Fame

                It may be that there is no interesting traffic to keep the tunnel open. Note that the hub site doesn't initiate. Try creating an ICMP ping probe on the remote site that pings a resource at the hub through the tunnel every ten seconds or so. Ping should have both source and destination on the protected networks. You don't need it to track anything, just to generate a ping every ten seconds. See if this solves the problem.