IPSec tunnel rekeying

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSec tunnel rekeying

L2 Linker

Hi all,

 

We are using tunnel monitor on the IPSec tunnels and i am wondering if rekeying childs SA, causes the tunnel monitor to bring the tunnel down. In additon i would like to know if PA stores a log of all the rekeys for each tunnel.

 

TIA

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @GnContente ,

 

Tunnel monitoring works by pinging a destination address on the other side of the tunnel -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ip... Step 9, #2.  So, rekeying child SAs will not cause the tunnel monitor to bring the tunnel down.  The VPN does not drop during the rekeying process.

 

The PA does not store a log of the keys unless the debugging level is set to dump -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC.  In general, logging IPsec keys is not a secure practice.  The IPsec protocols use a very complicated process to generate secure keys in order not to be compromised -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/site-to-site-vpn-concepts/internet-k....  New keys are renegotiated are regular intervals to provide more security.  So, I would never log the keys unless I needed to decrypt the traffic as described in the article.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @GnContente ,

 

Tunnel monitoring works by pinging a destination address on the other side of the tunnel -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ip... Step 9, #2.  So, rekeying child SAs will not cause the tunnel monitor to bring the tunnel down.  The VPN does not drop during the rekeying process.

 

The PA does not store a log of the keys unless the debugging level is set to dump -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC.  In general, logging IPsec keys is not a secure practice.  The IPsec protocols use a very complicated process to generate secure keys in order not to be compromised -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/site-to-site-vpn-concepts/internet-k....  New keys are renegotiated are regular intervals to provide more security.  So, I would never log the keys unless I needed to decrypt the traffic as described in the article.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung 

 

Thanks for your reply, i am just trying to understand if there is any relation with tunnel monitoring bringing the tunnel down due to rekeying, which according to your answer as noting to do with rekeying. Apart from the ping failure within the tunnel and no problems on the physical interface, i am just trying to understand what might had caused those ping failures that endup bringing the tunnel down. It would be nice to find some documentation that explains how the traffic is encapsulated.

Cyber Elite
Cyber Elite

Hi @GnContente ,

 

That is a very good question.  If Tunnel Monitoring is configured with a Tunnel Monitoring Profile configured for Fail Over, then loss pings will bring the tunnel down.  I had a customer that setup a VPN for a critical printer.  He pinged the printer as part of his tunnel monitor configuration.  The remote site powered off the printer, and the VPN went down!  :-0  Or, the VPN could go down first resulting in the loss of pings.

 

The first place I would look is in the system logs to see why the VPN went down.  The logs will indicate if tunnel monitoring brought the tunnel down or something else did.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung, it is what i am trying to figure out. In my case the system logs only state that the tunnel was down which i understand that it was due to tunnel monitoring. However there is no log before or after which can give me a clue to why it happen.

 

Regards

Cyber Elite
Cyber Elite

Hi @GnContente ,

 

That is strange.  Usually the system log tells you why the tunnel went down in the Description column.  It is possible it does not in this case.  What exactly does the log say?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung 

 

It is a bit late for that, the log has already been overwrittew. However if i recall the description was just saying that the tunnel was down.

 

thanks 

  • 1 accepted solution
  • 8342 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!