[vpn] Nokia Crypto Cluster <-> Cisco 1720

[Raymakers, Guy]

Alberto,

We are talking about the Cryptocluster, but maybe there same issue exists
between Cisco and other VPN boxes. I've ran some ping tools and found that
exactly every 8 hours, the communication is interrupted for a small amount
of time (1 a 2 min). The 8 hours is exactly the lifetime of the IKE SA.

Also, there's some issue if the Cisco router still has an SA (IKE and IPSEC)
and the Cryptocluster has lost the SA's (due to reboot or failure or...). At
that moment there will be no connection until the IKE SA expires on the
Cisco router. This behavior is caused by the fact that Cisco doesn't accept
the new IKE proposal, considers this as a possible attack and hence discards
the new connection attempts ....

Best regards,
Guy

-----Original Message-----
From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com]
Sent: Monday, January 07, 2002 22:19
To: 'Joel M Snyder'
Cc: Raymakers, Guy; Markus Schlup
Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720


No, I am talking about the Nokia IPXXX line. but still is doesn't matter.
IKE is IKE (Unless it's not FULLY written to the RFC.  Hint Cisco).
I included the FW1 mailing list just incase someone there is having IPSec
problems regarding SAs.

I hope my info helped.


AC

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM]
Sent: Monday, January 07, 2002 1:16 PM
To: Cardona, Alberto
Cc: 'Raymakers, Guy'; 'Joel M Snyder'; Markus Schlup
Subject: RE: [vpn] Nokia Crypto Cluster <-> Cisco 1720


Just curious: you are talking about Nokia, as in the CryptoCluster stuff,
right?  I noticed that you added the FW1 mailing list into the mix, and
that's
a whole different product.  It's from Check Point.  

jms


Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
jms at Opus1.COM    http://www.opus1.com/jms    Opus One

VPN is sponsored by SecurityFocus.com