VPN's would break right away, as soon as you reset SIC the initial policy is loaded
________________________________ From: David DeSimone <[email protected]> To: [email protected] Sent: Tue, May 24, 2011 8:55:28 AM Subject: Re: [FW-1] vpn and manager VPN's would not break right away. The gateways are in the habit of pre-loading the CRL every 2 hours, so they should have a recent copy of it whenever they need it; the problem is that the expiry lifetime of the CRL is 24 hours at best, which is why that is the maximum time you have to establish new SIC and install a new policy. There is no way to avoid using certificated-based authentication for internally-managed gateways, I believe. It is not an available option to use pre-shared secrets, except with externally-managed peers. Peter Addy <[email protected]> wrote: > > Thanks, now to add a further spin! What if the manager changed and sic > was established with another manager, would the vpns break instantly > or not until a new policy was pushed from the new manager? Basically I > assume there is no real way to keep a vpn intact and hardly any down > time if a ne manager was deployed changing the vpn from cert to pre > shared key, cheers > > > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: > > >Since we just recently had this happen to us on our network, I can > >confirm that this is exactly what happens. > > > >Certificate-based VPN's will fail within 24 hours due to the gateways' > >inability to load the CRL. > > > >Pre-shared secret VPN's will continue to operate, presumably > >indefinitely. > > > > > >Independent IT Consultant <[email protected]> wrote: > >> > >> It greatly depends on the *type* of VPN. If using certificates (such > >> as with Edges or other gateways that are centrally managed), then > >> the limiting factor is the CRL expiration on the ICA, which is, by > >> default, 24 hours. In this case, tunnels that can't validate their > >> certificates will fail after that CRL timeout period. Remember, > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours > >> after the SMC went down. With VPNs to external gateways using shared > >> secret, they may work indefinitely, but I wouldn't guarantee it. > >> > >> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> wrote: > >> > >> > Curious, Does anyone know how long would vpn's continue to work if a > >> > smartcenter was down and not available for ? And if they do stop why > >> > is this so, or do they simply continue to run but changes not can be > >> > made until the manager was restored? Thanks -- David DeSimone == Network Admin == [email protected] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
