[j-nsp] IKE Key Life-times on J-series vs. SRX
Devin Kennedy
devinkennedy415 at hotmail.com
Thu Jun 2 15:59:23 EDT 2011
Does anyone know if the lifetime value used for the IKE session is
determined by the initiator? It appears from the behavior I've observed
that the lifetime value is always determined by whichever peer is in the
initiator role.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Devin Kennedy
Sent: Thursday, June 02, 2011 11:37 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] IKE Key Life-times on J-series vs. SRX
Hello All:
I am seeing a difference in behavior on the J4350 vs. the SRX240 for the IKE
key lifetime negotiation for IPsec phase 1. In both cases the peer is a
Cisco 1841. Please see outputs below. Has anyone else run into this? I
would expect that it ought to take the lower lifetime value as it does on
the SRX240.
BTW, I’m running Junos 10.4R4.5 on both Juniper routers.
On the SRX I saw what I expected to see, which is that the negotiated value
is the lesser of the two if they do not match:
SRX240
[edit]
Devin at SRX240-1# show security ike proposal testikeprop
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
[edit]
Devin at SRX240-1# run show security ike security-associations detail
IKE peer 10.10.3.89, Index 7707821,
Role: Initiator, State: UP
Initiator cookie: ed10b684f40a71d2, Responder cookie: 3c2a1fb09e701c34
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 10.10.3.93:500, Remote: 10.10.3.89:500
Lifetime: Expires in 28795 seconds
Peer ike-id: 10.10.3.89
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : aes-cbc (256 bits)
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 688
Output bytes : 880
Input packets: 4
Output packets: 5
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 1851437682
Local: 10.10.3.93:500, Remote: 10.10.3.89:500
Local identity: ipv4_subnet(any:0,[0..7]=10.100.9.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24)
Flags: Caller notification sent, Waiting for done
Cisco 1841
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
C1841-2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256
bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
C1841-2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
1156 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 0
D
Engine-id:Conn-id = ???
(deleted)
1155 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2
07:59:34 D
Engine-id:Conn-id = SW:155
With the J4350 in place of the SRX240 with the same configuration as shown
for the SRX240 and same configuration as shown for the Cisco 1841, I see:
J4350
[edit]
Devin at J4350-1# show security ike proposal testikeprop ß No lifetime
configured so should use default of 28800
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
[edit]
Devin at J4350-1#
Devin at J4350-1> show security ike security-associations detail
IKE peer 10.10.3.89, Index 4833153,
Role: Responder, State: UP
Initiator cookie: b4443ecf19364ac2, Responder cookie: 7c741a4fcb0f5558
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 10.10.3.85:500, Remote: 10.10.3.89:500
Lifetime: Expires in 86321 seconds
Peer ike-id: 10.10.3.89
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : aes-cbc (256 bits)
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 864
Output bytes : 1092
Input packets: 5
Output packets: 5
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 931695683
Local: 10.10.3.85:500, Remote: 10.10.3.89:500
Local identity: ipv4_subnet(any:0,[0..7]=10.100.11.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24)
Flags: Caller notification sent, Waiting for done
Cisco 1841
C1841-2#sho crypto isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
0 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 0
D
Engine-id:Conn-id = ???
1237 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2
23:59:19 D
Engine-id:Conn-id = SW:237
C1841-2#sho crypto isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256
bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Thanks,
Devin
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list