cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
naff
New Contributor

IPsec VPN

Hi Guys,

I am currently having an issue with my IPsec VPN between a Netvanta 1335 and Netvanta 2400. I have few phones that are sitting behind the Netvanta 1335 and a PBX server sitting behind the Netvanta 2400. The communication between the phones and the PBX is over the IPsec VPN. For some weird reason the phones randomly getting disconnected from the PBX system every time I received below notification.

CRYPTO_IKE: id=vpn time="2016-05-17 16:00:35" fw=XXXXXXX pri=6 proto=esp src=X.X.X.X dst=X.X.X.X vpn=1-1 type=1 msg="SA Soft Life Time Finished - Renegotiation starts - SPI 0x8a96222c, Remote ID XXXXXX agent=IPsec

I would highly appreciate if someone could explain/give some information on what the notification means.

For clarity, topology looks like this:

Phones -> Netvanta1335 -> IPsec->Netvanta2400 ->PBX system.

Thanks!

Naf

0 Kudos
4 Replies
Anonymous
Not applicable

Re: IPsec VPN

Looks like a timeout for the VPN tunnel. Can you please show both peer settings without IP's?

naff
New Contributor

Re: IPsec VPN

Hi Dayo76,

Thanks for the reply. Please see below IPsec configs for both sites.

Netvanta 1335 (remote-site):

!

crypto ike policy 100

  initiate aggressive

  respond anymode

  local-id fqdn [Local-ID]

  peer X.X.X.X

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

    lifetime 86400

!

crypto ike remote-id fqdn [hub site local-id] preshared-key [KEY] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  match address ip NO-NAT

  set peer X.X.X.X

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

!

###############################################

Netvanta 2400 (Hub-site):

!

crypto ike policy 101

  no initiate

  respond anymode

  local-id fqdn [Local-ID]

  peer any

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

    lifetime 86400

!

crypto ike remote-id fqdn [remote site local-id] preshared-key [key] ike-policy 101 crypto map VPN 1530 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 1530 ipsec-ike

  description *******

  match address [ACL]

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 101

!

########################################

The configured lifetime for the IKE is 24hours. The notification happens randomly everyday. Sometimes it happens within 12 hours of the configured lifetime, sometimes 8 hours.

Is there a way to monitor IPsec via snmp?

Re: IPsec VPN

I don't have an answer for your problem, but the message you posted shows a normal renegotiation of keys for the IPSec tunnel between the two VPN peers.  It is set at 28,800sec (8 hours) by default and a few minutes in advance of this interval new keys are exchanged, before the old keys are dropped.  This is transparent to traffic flowing through the tunnel and shouldn't really affect the phone sessions.

--

Regards,

Mick

jayh
Honored Contributor
Honored Contributor

Re: IPsec VPN

It may be that there is no interesting traffic to keep the tunnel open. Note that the hub site doesn't initiate. Try creating an ICMP ping probe on the remote site that pings a resource at the hub through the tunnel every ten seconds or so. Ping should have both source and destination on the protected networks. You don't need it to track anything, just to generate a ping every ten seconds. See if this solves the problem.