S2S VPN: why is a new QM SA negotiated every 5 minutes ?

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 29 Dec 2005 20:40:26 +0100

Hi, 

I observed that if an S2S VPN connection of type IPSec Tunnel is used
between two ISA 2004 servers, or between two Windows 2003 RRAS servers, or
between an ISA 2004 server and a Windows 2003 RRAS server, then every 5
minutes the QM SA is deleted (Event ID 542) and a complete new QM SA is
renegotiated (Event ID 541), even if there is traffic all the time (ping
-t). 

In the ISA MMC, the summary of the IPSec configuration is: 

--- Begin ---

Local Tunnel Endpoint: 192.168.1.30
Remote Tunnel Endpoint: 192.168.1.10

To allow HTTP proxy or NAT traffic to the remote site, 
the remote site configuration must contain the local 
site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication method: Pre-shared secret (azerty)
    Security Association lifetime: 28800 seconds 

IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time rekeying: ON
    Security Association lifetime: 3600 seconds <<<< one hour !!!
    Kbyte rekeying: OFF

Remote Network 'RemoteSite#22' IP Subnets:
    Subnet: 192.168.1.10/255.255.255.255
    Subnet: 192.168.22.0/255.255.255.0

Local Network 'Internal' IP Subnets:
    Subnet: 192.168.44.0/255.255.255.0

--- End ---

According to
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
ef/8fbd7659-ca23-4320-a350-6890049086bc.mspx and
http://www.microsoft.com/windowsserver2003/techinfo/overview/ipsecfaq.mspx
the default idle timeout for a quick mode SA is 300 seconden. This can be
changed with the following registry key: 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
    Value name: SAIdleTime
    Data Type: REG_DWORD
    Value data: 300 - 3600 (default=300)

So, it sounds that on a fully patched Windows 2003 SP1, the QM SA idle
timeout function is *not* working very well. A workaround is to set
SAIdleTime=3600, that's the same value as the default QM SA lifetime. In
other words, after maximum one hour a complete new QM SA will be
renegotiated because the session keys must be refreshed in any way. 

Is this a known issue and is there already a fix available? Also, I assume
that KB907259 You cannot sustain a connection for longer than 3 to 10
minutes between a Windows Server 2003 Service Pack 1-based computer and a
Linux-based computer (http://support.microsoft.com/kb/907259/en-us) has
nothing to do with this issue. Right? 


Thanks, 
Stefaan

Other related posts:

• » S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » RE: S2S VPN: why is a new QM SA negotiated every 5 minutes ?
• » S2S VPN: why is a new QM SA negotiated every 5 minutes ?

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---