cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
2
Helpful
3
Replies

VPN Key Negotiation

D@1984
Level 1
Level 1

Hi,

can someone please advise how much bandwidth will be utilized during the key negotiation and rekeying? just an estimation.

I have some issues with a tunnel that have lots of encryption domains (50+) and the lifetime is set to 10 minutes currently for phase1 and 30 for phase 2. endusers complaining about the poor performance and random disconnections for traffic that goes over the tunnel. looking at the logs, timewise these usually happen at the same time as the rekeying. monitoring the bandwidth, I also see peaks every half an hour which again match the key lifetime. could this disconnections caused by the small key lifetime ? or perhaps large number of encryption domains and the fact that all these SA key negotiation happening same time utilize all the available bandwidth?

 

Thanks

 

3 Replies 3

That's a good question and I don't know the answer, however, I would expect the resources used to renegotiate the keys to be minimal. I believe setting the lifetimes with such a short timers would have some impact on the user experience, and to be honest, those timers you mentioned are way agressive. I would recommend trying to increase the timers and see if that helps. Also, one thing you could potentially try to do would be summarizing those encryption domains where possible.

D@1984 I agree with @Aref Alsouqi the timers are too agressive, any reason why so short? If you have a lot of traffic selectors for different networks defined, you could migrate to a route based VPN, which has a TS of 0.0.0.0/0.0.0.0, so one TS to renegotiate. You should still consider longer timers, perhaps with PFS and stronger crypto for IKE and IPSec SA.

I’m not sure who agreed on these setting but it doesn’t seem that we have the any encryption domain option, it could be restriction on their firewall or their preference.