Select Page

IPsec VPN SA Lifetime And DPD

by | 3-May-2021 | Cisco, Security, VPN

(1) IPsec VPN SA lifetime

IKE SA & IPsec SA both have independent lifetime values

  • Lifetime values are negotiated separately
    • IKE SA lifetime during IKE Phase 1 negotiation
    • IPsec SA lifetime during IKE Phase 2 negotiation
  • If Phase-1 SA is timeout you don’t necessarily need to run Phase-2
  • Ideally they should have a different value
  • So they will not re-key in the same time

 

IKE allows the crypto endpoints to negotiate a lifetime for each SA

  • SA lifetime can be in time and volume-limit (bytes)
    • Peer with lower lifetime value is gonna be choosen
  • Default values in Cisco IOS
    • IKE SA: 38,400 seconds and N/A (volume-limit can’t be used)
    • IPsec SA: 3,600 seconds and 4,608,000 kilobytes

(2) IKE “Dead Peer Detection” (DPD)

IKE DPD Overview

  • IKE “Dead Peer Detection”
    • Mechanism to detect unreachable IKE peer using keepalive message probes.
    • Delete IKE SA and IPsec SA if unreachable IKE peer detected
      • > Otherwise, unreachable SAs remain active until its lifetime expired
  • DPD standard in RFC 3706 is pretty open in term of implementation
    • RFC describes DPD negotiation procedure and two new ISAKMP NOTIFY messages
    • But each implementation can be different, e.g Cisco IOS is different with Cisco ASA
    • DPD capabilities are negotiated in IKE Phase 1
    • DPD parameters are not negotiated, locally significant
  • DPD keepalive message (Figure 1)
    • Use ISAKMP NOTIFY message as a transport
    • “R-U-THERE” message as a DPD request
    • “R-U-THERE-ACK” message as a DPD response
  • Retry count is non-configurable and equals to five (Figure 2)
    • Once 1 DPD <threshold> is missed by the peer
      • > Router moves to a more aggressive state <retry_interval>
    • If 5 consecutive aggressive DPD response messages are missed, peer wil be declared dead
      • > Dead peer’s IKE SA and IPsec SA will be deleted

 

DPD on IOS router

  • IOS will always agree to be a DPD responder in IKE negotiation
    • By default DPD initiation is disabled
  • For DPD initiation, 2 implementation are supported
    • DPD On-demand (default mode)
      • > If the crypto endpoint has sent outbound traffic
      • > And peer doesn’t respond and idle for <threshold> value
      • > Then initiate aggressive DPD request <retry_interval>
    • DPD Periodic
      • > Initiate DPD request at <threshold> interval value
      • > If peer doesn’t respond to the DPD request
      • > Then initiate aggressive DPD request <retry_interval>

 

DPD configuration on IOS router

  • DPD configuration globally
    • R(config)#crypto isakmp keepalive <threshold> <retry_interval> [on-demand|periodic]
      • > Threshold: range is 10s – 3600s, DPD message interval
      • > retry_interval: default is 2s, retry interval after the threshold is missed
  • DPD parameter can be changed per IKE profile (attached to individual IKE peer)
    • R(config)#crypto isakmp profile ISAKMP_ABC
    • R(conf-isa-prof)#keepalive <threshold> retry <retry_interval>
      • > The on-demand or periodic options will inherit from global configuration

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *