topic Re: vpn tu tlist in Firewall and Security Management

vpn tu tlist

Ricki_Juntak — Mon, 11 Apr 2022 05:41:52 GMT

Hi Checkmates,

Can you help me how to configure the tunnel expiration on the capture have 1 hour and what the purpose off the tunnel created and tunnel expiration?

(0) Site-to-Site tunnels are up:
IPSEC 0
NAT-T 0

(1) Number of Active Clients:
NAT-T 1
Visitor Mode 0
SSL 0

Re: vpn tu tlist

G_W_Albrecht — Mon, 11 Apr 2022 08:54:12 GMT

sk104760: ATRG: VPN Core

Re: vpn tu tlist

Ricki_Juntak — Mon, 11 Apr 2022 10:06:14 GMT

Thanks Albrecht,

I have read the SK and confused to read the SK because I cant find mention about tunnel_expiration and tunnel created

I have try on the lab-> using checkmate lab,

I try to find the configuration for tunnel created and tunnel expiration and I try to change the vpn_table.def on SMS(r81.10)

#define ISAKMP_TABLE_TIMEOUT 3600 --> change to 300
#define SPI_TABLE_TIMEOUT 3600 --> change to 300
#define IKE_SA_TABLE_TIMEOUT 3600 -> cahnge to 300

after change, push policy.

but the result is same duration for tunnel still 1 hour.

Re: vpn tu tlist

G_W_Albrecht — Tue, 12 Apr 2022 06:30:22 GMT

IKE_SA_table

Contains information about all ISAKMP SAs.
Entries from this table are used to conduct IKE Quick Mode negotiation of IPsec SA.
Entries are extracted from this table when the vpnd daemon is trapped for IPsec SA renewal.
Default expiration time is 3600 seconds.= 1 hour !
Synchronized in cluster.
Table entry is:
either
<Peer_IP ,0 , CookieI, CookieR; IKE_SA, IKE_SA_flag, RenegotiationTime; Timeout>
or
<Peer_IP, 0; IKE_SA, CookieI, CookieR, IKE_SA_flag, RenegotiationTime; Timeout>
where:
- Peer_IP - IP address of IKE peer
- CookieI - initiator cookie (8 bytes in host byte order)
- CookieR - responder cookie (8 bytes in host byte order)
- IKE_SA - ISAKMP SA data in Check Point code
- IKE_SA_flag - one of these values: 0x01=mobile, 0x02=initiator, 0x03=DAIP
- RenegotiationTime - The renegotiation time of the SA
- Timeout - How much time remained to expiration time

Re: vpn tu tlist

Ricki_Juntak — Tue, 12 Apr 2022 07:01:22 GMT

Thanks Albrecht,

I'm using remote access community, its possible to set the duration tunnel created and tunnel created?

if renegotiation expired what happen with the connection is re-establish?

Re: vpn tu tlist

G_W_Albrecht — Tue, 12 Apr 2022 08:26:08 GMT

Every hour, renegotiation of IPsec SA happens.

Re: vpn tu tlist

Ricki_Juntak — Thu, 14 Apr 2022 03:19:35 GMT

Thanks ALbrecht,

in the process renegotiation IPsec SA status connection is always establish right? not interrupt the traffic?

can you share the document about renegotiation IPsec SA on CheckPoint.

Re: vpn tu tlist

G_W_Albrecht — Thu, 14 Apr 2022 08:48:22 GMT

As this is standard, it is the same for all vendors: https://en.wikipedia.org/wiki/Internet_Key_Exchange

Re: vpn tu tlist

Ricki_Juntak — Mon, 25 Apr 2022 13:04:11 GMT

Thanks Albrecht