Hi!
Someone could tell me which type of SAs we see on IP / IPSec / Installed SAs ?
As I know there are two different SAs on IPSec (IKE SAs for phase 1, and IPSec SA for phase 2).
Looking to the timeouts, it seems the Installed SAs tag shows IP Sec Sas related to phase 2. And in the Remote Peers tabs we see the IKE Sas related to phase 1.
Regards,
“installed SAs” are phase2 remote-peers are phase1
Thanks mrz.
And you could tell me which should be the standard behaviour or these SAs …
If the phase 2 SAs get its configured timeout the RouterOS should re-negotiate another new phase 2 SAs ? Or it don’t needs to do that because it will negotiate new phase 2 sas with the phase 1 SA when the tunnel gets some traffic ?
If SAs are already created, then when soft timer (~75% of SA lifetime) expires RouterOS tries to negotiate new SAs. Old SAs are kept until hard timer (SA lifetime) expires.
Ok, thanks for the info.
I checked that and RouterOs tried to renew phase 2 SAs when the SAs had 24 minutes remaining of lifetime. 30 minutes remaining it’s 75% so it seems to be ok.
The problem it’s the other router (Mcaffe firewall) has the soft rekeying at its 85% of SA timeout, so my rekey at around 75% it’s not allowed. And the hard rekey when the timeout arrives on RouterOS don’t works because the other router detects the phase 2 as expired and the phase 1 it’s droped too.
At that moment the phase 1 on RouterOs it’s renegotiated and RouterOS sees it as ok, but the Mcafee don’t shows nothing on phase 1. And obviously the tries of the RouterOs to set a phase 2 are always wrong due to the inexistence of the phase 1 on mcafee.
It doesn’t matter if rekey on mcafee is at 85%. RouterOS will always respond to new SA re-negotiation, so it should work unless mcafee is not trying to renegotiate SAs even at 85%.