[AusNOG] IPSEC time skew renegotiate?
Colin Stubbs
colin.stubbs at equatetechnologies.com.au
Mon Jan 6 15:13:58 EST 2014
Very unlikely to be directly a time/NTP issue if it's that small a
difference.
Encryption and authentication with basic IPSec PSK type configurations
isn't dependent on time synchronisation with peers.
Expiry of negotiated phase 1/2 parameters might happen if there was a
larger skew, e.g. minutes/hours.
I'd lean towards a phase 2 renegotiation failure. Or software bug triggered
by time skew and adjustment.
What are the phase 1 and 2 parameters for each side of the tunnel ? e.g.
lifetime in seconds and/or bytes ?
On 6 January 2014 13:09, Geordie Guy <elomis at gmail.com> wrote:
> G'day NOGgers,
>
> We have an IPSEC peer that keeps dropping the tunnel and renegotiating.
> The only events in the logs on their side that look like they could be
> related are a fairly constant NTP update which is causing their Netscreen
> to adjust by between 3 and 13 milliseconds every ten minutes. Would this
> cause the tunnel to renegotiate when the clock changed? It seems to happen
> on the half hour every half hour, or every three NTP updates.
>
> - Geordie
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140106/7d95cb56/attachment.html>
More information about the AusNOG
mailing list