David Strout wrote:
1. Which side of the tunnel is the initiator if
both are set up the same, and is there an
initiator w/ pfS?
Either side can be the initiator for both phase1 or phase2 depending on
which side of the tunnel the initial traffic originates. Phase1 (
aggressive or main mode ) is used to establish an ISAKMP SA. The ISAKMP
SA is used to protect future exchanges between the two peers. Phase2 (
quick mode ) is used to establish any number of IPSEC SAs. An IPSEC SA
is used with ESP or AH to protect IP packet data between two peers.
Consider a cold start of the following scenario ...
HOST A --- GATEWAY 1 <---> GATEWAY 2 --- HOST B, HOST C
POLICY #1 = ESP between HOST A and HOST B
POLICY #2 = ESP between HOST A and HOST C
If HOST A attempts to communicate with HOST B, GATEWAY 1 will first
establish an ISAKMP SA between itself and GATEWAY 2. It will then use
the ISAKMP SA to protect the negotiation of an IPSEC/ESP SA between
itself and GATEWAY 2 that matches POLICY #1. If HOST C then attempts to
communicate with HOST A, GATEWAY 2 will use the previously established
ISAKMP SA to negotiate an IPSEC/ESP between itself and GATEWAY 1 that
matches POLICY #2.
For the first two exchanges, GATEWAY 1 is initiator for both phase1 and
phase2. In this last exchange, GATEWAY 2 is the initiator for phase2.
2. When using the keep alive setting (auto ping
host) is/should this be the inside interface of
the remote tunnel. I have tried setting this to
some non-assigned IP and the tunnel will collapse
after about 10 minutes. If I leave this field
blank (don't use keep alive) then the tunnel stay
up for a longer period of time after
initialization, but will collapse after roughly
28800 (the phase 1 lifetime).
Is the intent to defeat firewall states from being expired? I don't see
how this is going to help much with keeping IPSEC SAs established unless
there is only a single policy and both VPN Gateways have an address in
each of their respective private networks. Your setup would have to look
something like this ...
10.1.1.1/24 GW1 3.3.3.3 <-> 4.4.4.4 GW2 10.2.2.2/24
... and the single policy would need to look like ...
ESP between 10.1.1/24 and 10.2.2/24
... with pings being sent between 10.1.1.1 and 10.2.2.2 addresses. A
ping command line switch or a funky local route would be required to
make sure the ICMP is sourced from the correct address. The bottom line
is that traffic needs to be generated between the two networks specified
in the policy to ensure ESP traffic is constantly being sent/received.
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
