Document ID: 14111
Updated: Feb 02, 2006
Contents
Introduction
This document reports the lab test results of IP Security (IPSec) LAN-to-LAN tunnel renegotiation between different Cisco VPN products in various scenarios, such as VPN device reboot, rekey, and the manual termination of IPSec security associations (SAs).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco IOSĀ® Software Release 12.1(5)T8
-
Cisco PIX Software Release 6.0(1)
-
Cisco VPN 3000 Concentrator software version 3.0(3)A
-
Cisco VPN 5000 Concentrator software version 5.2(21)
The IP traffic used in this test is bi-directional Internet Control Message Protocol (ICMP) packets between hostA and hostB.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Network Diagram
This is a concept diagram of the test bed.
VPN devices represent a Cisco IOS router, a Cisco Secure PIX Firewall, a Cisco VPN 3000 Concentrator or a Cisco VPN 5000 Concentrator.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Test Scenarios
Three common scenarios were tested. The following is a brief definition of the test scenarios:
-
Manual termination of IPSec SAs—User logs on to the VPN devices and manually clears the IPSec SAs using the command line interface (CLI) or the graphical user interface (GUI).
-
Rekey—Normal IPSec phase I and phase II rekey when defined lifetime expires. In this test, the two VPN termination devices have the same phase I and phase II lifetime configured.
-
VPN device reboot—Either end of the VPN tunnel termination points was rebooted to simulate service outage.
Note: For LAN-to-LAN tunnels where the VPN 5000 Concentrator is used, the concentrator is configured using the MAIN mode and tunnel responder.
Test Results
Setup | Manually Termination of IPSec SAs | Rekey | VPN Device Reboot |
---|---|---|---|
IOS to PIX |
|
|
|
IOS to VPN 3000 |
|
|
|
IOS to VPN 5000 |
|
|
|
PIX to VPN 3000 |
|
|
|
PIX to VPN 5000 |
|
|
|
VPN 3000 to VPN 5000 |
|
|
|
1 As described above, the test traffic used is bi-directional ICMP packets between hostA and hostB. In the VPN device reboot test, unidirectional traffic is also tested to simulate the worst case scenario (where traffic is only from the host behind the VPN device which is not rebooted to the VPN device which is rebooted). As can been seen from the table, with IKE keepalive or with DPD protocol, the VPN tunnel can be recovered from the worst case scenario.
2 DPD is part of the Unity protocol. Currently this feature is only available on the Cisco VPN 3000 Concentrator with software version 3.0 and above and on the PIX Firewall with software version 6.0(1) and above.
Related Information
Open a Support Case (Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.