RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 2 Jan 2006 09:12:54 -0800

I spoke to the guy that worked that problem and wrote the KB.
He suggested that you try it to see if it works for you.
If so, we can get the KB updated to reflect your findings.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] 
Sent: Monday, January 02, 2006 4:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] S2S VPN: why is a new QM SA negotiated every 5
minutes ?

http://www.ISAserver.org

Hi, 

I observed that if an S2S VPN connection of type IPSec Tunnel is used
between two ISA 2004 servers, or between two Windows 2003 RRAS servers,
or
between an ISA 2004 server and a Windows 2003 RRAS server, then every 5
minutes the QM SA is deleted (Event ID 542) and a complete new QM SA is
renegotiated (Event ID 541), even if there is traffic all the time (ping
-t). 

Is this a known issue and is there already a fix available? Also, I
assume
that KB907259 You cannot sustain a connection for longer than 3 to 10
minutes between a Windows Server 2003 Service Pack 1-based computer and
a
Linux-based computer (http://support.microsoft.com/kb/907259/en-us) has
nothing to do with this issue. Right? 


=== Technical details ===

In the ISA MMC, the summary of the IPSec configuration is: 

--- Begin ---

Local Tunnel Endpoint: 192.168.1.30
Remote Tunnel Endpoint: 192.168.1.10

To allow HTTP proxy or NAT traffic to the remote site, the remote site
configuration must contain the local site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication method: Pre-shared secret (azerty)
    Security Association lifetime: 28800 seconds 

IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time rekeying: ON
    Security Association lifetime: 3600 seconds <<<< one hour !!!
    Kbyte rekeying: OFF

Remote Network 'RemoteSite#22' IP Subnets:
    Subnet: 192.168.1.10/255.255.255.255
    Subnet: 192.168.22.0/255.255.255.0

Local Network 'Internal' IP Subnets:
    Subnet: 192.168.44.0/255.255.255.0

--- End ---

According to
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T
echR
ef/8fbd7659-ca23-4320-a350-6890049086bc.mspx and
http://www.microsoft.com/windowsserver2003/techinfo/overview/ipsecfaq.ms
px
the default idle timeout for a quick mode SA is 300 seconden. This can
be
changed with the following registry key (see
http://support.microsoft.com/default.aspx?scid=kb;en-us;257225): 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
    Value name: SAIdleTime
    Data Type: REG_DWORD
    Value data: 300 - 3600 (default=300)

So, it sounds that on a fully patched Windows 2003 SP1, the QM SA idle
timeout function is *not* working very well. A workaround is to set
SAIdleTime=3600, that's the same value as the default QM SA lifetime. In
other words, after maximum one hour a complete new QM SA will be
renegotiated because the session keys must be refreshed in any way. 


Thanks,
Stefaan


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: