Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricki_Juntak
Explorer
Jump to solution

vpn tu tlist

Hi Checkmates,

 

Can you help me how to configure the tunnel expiration on the capture have 1 hour and what the purpose off the tunnel created and tunnel expiration?

 

 

[Expert@Internal-GW:0]# vpn tu tlist
+-----------------------------------------+-----------------------+---------------------+
| Peer: 172.16.10.1 (cd6b8f0973d32146) | MSA: ffffc9001f624410 | i: 0 ref: -- 45/60 |
| Client public IP: 203.0.113.200 | | i: 1 ref: 4 |
| Authenticated at: Apr 11 01:36:22 | | i: 2 ref: -- 46/60 |
| Methods: ESP Tunnel 3DES SHA1 | | |
| My TS: 0.0.0.0/0 | | |
| Peer TS: 172.16.10.1 | | |
| User: test | | |
| MSPI: 800005 (i: 1, p: 0) | Out SPI: 6980210e | |
| Tunnel created: Apr 11 01:36:22 | NAT-T | |
| Tunnel expiration: Apr 11 02:36:22 | | |
+-----------------------------------------+-----------------------+---------------------+

(0) Site-to-Site tunnels are up:
IPSEC 0
NAT-T 0

(1) Number of Active Clients:
NAT-T 1
Visitor Mode 0
SSL 0

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

As this is standard, it is the same for all vendors: https://en.wikipedia.org/wiki/Internet_Key_Exchange

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
(1)
8 Replies
G_W_Albrecht
Legend Legend
Legend

sk104760: ATRG: VPN Core

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ricki_Juntak
Explorer

Thanks Albrecht,

 

I have read the SK and confused to read the SK because I cant find mention about tunnel_expiration and tunnel created

I have try on the lab-> using checkmate lab,

I try to find the configuration for tunnel created and tunnel expiration and I try to change the vpn_table.def on SMS(r81.10)

#define ISAKMP_TABLE_TIMEOUT 3600 --> change to 300
#define SPI_TABLE_TIMEOUT 3600 --> change to 300
#define IKE_SA_TABLE_TIMEOUT 3600 -> cahnge to 300

after change, push policy.

but the result is same duration for tunnel still 1 hour.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
IKE_SA_table
  • Contains information about all ISAKMP SAs.
  • Entries from this table are used to conduct IKE Quick Mode negotiation of IPsec SA.
  • Entries are extracted from this table when the vpnd daemon is trapped for IPsec SA renewal.
  • Default expiration time is 3600 seconds.= 1 hour !
  • Synchronized in cluster.
  • Table entry is:
    either
    <Peer_IP ,0 , CookieI, CookieR; IKE_SA, IKE_SA_flag, RenegotiationTime; Timeout>
    or
    <Peer_IP, 0; IKE_SA, CookieI, CookieR, IKE_SA_flag, RenegotiationTime; Timeout>
    where:
    • Peer_IP - IP address of IKE peer
    • CookieI - initiator cookie (8 bytes in host byte order)
    • CookieR - responder cookie (8 bytes in host byte order)
    • IKE_SA - ISAKMP SA data in Check Point code
    • IKE_SA_flag - one of these values: 0x01=mobile, 0x02=initiator, 0x03=DAIP
    • RenegotiationTime - The renegotiation time of the SA
    • Timeout - How much time remained to expiration time
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ricki_Juntak
Explorer

Thanks Albrecht,

 

I'm using remote access community, its possible to set the duration tunnel created and tunnel created?

if renegotiation expired what happen with the connection is re-establish?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Every hour, renegotiation of IPsec SA happens.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ricki_Juntak
Explorer

Thanks ALbrecht,

in the process renegotiation IPsec SA status connection is always establish right? not interrupt the traffic?

can you share the document about renegotiation IPsec SA on CheckPoint.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As this is standard, it is the same for all vendors: https://en.wikipedia.org/wiki/Internet_Key_Exchange

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
Ricki_Juntak
Explorer

Thanks Albrecht

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events