Rebuild time VPN connection after maintenance internet router
We have many customers (more than 7) using a ZyWALL 110 to establish a IPSec VPN connection to our company. These are VPN client to side connections. See drawing below.
Now we had to do some maintenance to our Internet router and now all the VPN connections to our customers are lost. When we wait 24 hours (86400 sec.), all the VPN connections are established again, but this is to long for us.
How can I reduce the time, so all the VPN connections are working again?
Is this to reduce the Phase 2 SA Life Time of our ZyWALL or do I have to change this value at all the customers?
Is it possible to reduce the SA Life Time to 900 sec. or is this not a good idea? Or is there a better setting to reestablish the VPN connection again?
Now we had to do some maintenance to our Internet router and now all the VPN connections to our customers are lost. When we wait 24 hours (86400 sec.), all the VPN connections are established again, but this is to long for us.
How can I reduce the time, so all the VPN connections are working again?
Is this to reduce the Phase 2 SA Life Time of our ZyWALL or do I have to change this value at all the customers?
Is it possible to reduce the SA Life Time to 900 sec. or is this not a good idea? Or is there a better setting to reestablish the VPN connection again?
0
All Replies
-
@Raymond
Regarding to this case,you can Check “Nailed up” on VPN connection page, therefore, the device(Client role) will initiate VPN session immediately once the network access is back.
0 -
@Zyxel_Charlie
I checked several VPN clients and at all this option is activated, but is still takes 24 hours at max when all the VPN's are up again.
0 -
@Raymond,
Here the recommends,
1. The Phase 1 life time great than phase 2 (phase 1-1 day:86400 secs., phase 2-:1 hr: 3600 secs.)
IKE phase I is more processor intensive than IKE phase II, since the Diffie-Hellman keys have to be produced and the peers authenticated each time.
For this reason, IKE phase I is performed less frequently. However, the IKE SA is only valid for a certain period, after which the IKE SA must be renegotiated.
The IPSec SA is valid for an even shorter period, meaning many IKE phase II's take place.
Reference:
https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13847.htm
https://forums.juniper.net/t5/SRX-Services-Gateway/IKE-life-time-VS-IPSEC-life-time/td-p/140937
2. Set up Connectivity Check in Phase 2 of each remote client
Once the connectivity check fail. The client side will auto disconnect and re-negotiate IKE with the server side.
This is a event trigger action which is fast than lifetime timeout.
0 -
@zyman2008
Thanks, are there some setup recommendations for the Connectivity check?0 -
On Connectivity check, I use ICMP as method ,and default value for others.
0 -
@Jeremylin
Thanks.0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight