Does anyone know if the lifetime value used for the IKE session is determined by the initiator? It appears from the behavior I've observed that the lifetime value is always determined by whichever peer is in the initiator role.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Devin Kennedy Sent: Thursday, June 02, 2011 11:37 AM To: [email protected] Subject: [j-nsp] IKE Key Life-times on J-series vs. SRX Hello All: I am seeing a difference in behavior on the J4350 vs. the SRX240 for the IKE key lifetime negotiation for IPsec phase 1. In both cases the peer is a Cisco 1841. Please see outputs below. Has anyone else run into this? I would expect that it ought to take the lower lifetime value as it does on the SRX240. BTW, Im running Junos 10.4R4.5 on both Juniper routers. On the SRX I saw what I expected to see, which is that the negotiated value is the lesser of the two if they do not match: SRX240 [edit] Devin@SRX240-1# show security ike proposal testikeprop authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; [edit] Devin@SRX240-1# run show security ike security-associations detail IKE peer 10.10.3.89, Index 7707821, Role: Initiator, State: UP Initiator cookie: ed10b684f40a71d2, Responder cookie: 3c2a1fb09e701c34 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.10.3.93:500, Remote: 10.10.3.89:500 Lifetime: Expires in 28795 seconds Peer ike-id: 10.10.3.89 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 688 Output bytes : 880 Input packets: 4 Output packets: 5 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 1851437682 Local: 10.10.3.93:500, Remote: 10.10.3.89:500 Local identity: ipv4_subnet(any:0,[0..7]=10.100.9.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24) Flags: Caller notification sent, Waiting for done Cisco 1841 crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 C1841-2#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit C1841-2#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1156 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 0 D Engine-id:Conn-id = ??? (deleted) 1155 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 07:59:34 D Engine-id:Conn-id = SW:155 With the J4350 in place of the SRX240 with the same configuration as shown for the SRX240 and same configuration as shown for the Cisco 1841, I see: J4350 [edit] Devin@J4350-1# show security ike proposal testikeprop ß No lifetime configured so should use default of 28800 authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; [edit] Devin@J4350-1# Devin@J4350-1> show security ike security-associations detail IKE peer 10.10.3.89, Index 4833153, Role: Responder, State: UP Initiator cookie: b4443ecf19364ac2, Responder cookie: 7c741a4fcb0f5558 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.10.3.85:500, Remote: 10.10.3.89:500 Lifetime: Expires in 86321 seconds Peer ike-id: 10.10.3.89 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 864 Output bytes : 1092 Input packets: 5 Output packets: 5 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 931695683 Local: 10.10.3.85:500, Remote: 10.10.3.89:500 Local identity: ipv4_subnet(any:0,[0..7]=10.100.11.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24) Flags: Caller notification sent, Waiting for done Cisco 1841 C1841-2#sho crypto isa sa det Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 0 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 0 D Engine-id:Conn-id = ??? 1237 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 23:59:19 D Engine-id:Conn-id = SW:237 C1841-2#sho crypto isa pol Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Thanks, Devin _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
