topic Re: Ask about Associaton Lifetime in Network Security

Ask about Associaton Lifetime

danielbusisa1410 — Mon, 04 May 2020 10:09:23 GMT

Hi Guys,

I have some question about the lifetime association, I have work with AWS VPN L2L and our tunnel is already up.

but every 1 hour the tunnel state is down, is this because i set the lifetime association 3600 ? and what if i changed the lifetime association to be longer is that possible or not? there is any problem after i changed it?

Your respond is needed

Thank you

Re: Ask about Associaton Lifetime

Sheraz.Salim — Mon, 04 May 2020 10:45:11 GMT

in version ikev1 if the time values of phase 1 are different on both routers/firewalls than the lower value always have a win.
lifetime association, This is the lifetime of the keys that the tunnel uses to encrypt data.
The time and data limits are there to protect the integrity of the keys used to encrypt you data.
The data limit is there so that no part of the key is used twice.
I just leave mine set as default.
8 Hours
460800 KBytes
When these timers run out the tunnel negotiates a new key. If you have activity through the tunnels you shouldn't even notice when these timers expire.

Re: Ask about Associaton Lifetime

danielbusisa1410 — Mon, 04 May 2020 10:45:32 GMT

Hi Sheraz,

I still don't get it, is there any issue if i change the lifetime association? and when i set it 3600 second, it means every 1 hour the vpn generated a new key and make some traffic state down for a while?

Thank you for your attention

Re: Ask about Associaton Lifetime

Sheraz.Salim — Mon, 04 May 2020 11:20:32 GMT

can you make sure what other side is configured and match both side values.

Re: Ask about Associaton Lifetime

danielbusisa1410 — Mon, 04 May 2020 11:40:12 GMT

Hi Sheraz,

I will check it later in AWS, what happen if the value is different? i need information why is traffic state down periodcly 1 hour like i set on association lifetime

Thank you for your help

Re: Ask about Associaton Lifetime

danielbusisa1410 — Mon, 04 May 2020 17:03:15 GMT

Hi Sheraz,

I got problem like in this pic, the traffic state is periodicly (1hour) change to 0,5. is this happen due to the association lifetime 3600 seconds? or it's normal when ipsec generated new key

Thank you for your kindly help

Re: Ask about Associaton Lifetime

Sheraz.Salim — Mon, 04 May 2020 20:40:25 GMT

do you see the tunnel going down too? when the key exchange happens the tunnel does not go down. could you share you config file. this behavior is not normal. you using ASA or its router? since when this happening?

Re: Ask about Associaton Lifetime

danielbusisa1410 — Tue, 05 May 2020 01:05:01 GMT

Hi Sheraz,

Thank you for your response,

What kind config do you want? or you just write the command what do you want here?

this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?

Thank you

Re: Ask about Associaton Lifetime

Sheraz.Salim — Tue, 05 May 2020 18:17:32 GMT

this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?

If you are security company or your company deal with a highly sensitive information between two remote side than its a good practice to rekey the lifetime association in short period of time. but if its not a very sensitive data than you can leave it as default. its all depend on your company security policies.