Thanks, would I be correct in saying that you cannot use the same vpn certificate for the same vpn, where only the manager smart centre is changing?
On Tue, 24 May 2011 17:28 BST David DeSimone wrote: >Gary Scott <[email protected]> wrote: >> >> VPN's would break right away, as soon as you reset SIC the initial policy is >> loaded > >One presumes that you would not reset SIC until you are just about to >install the new policy. > > >> ________________________________ >> From: David DeSimone <[email protected]> >> To: [email protected] >> Sent: Tue, May 24, 2011 8:55:28 AM >> Subject: Re: [FW-1] vpn and manager >> >> VPN's would not break right away. The gateways are in the habit of >> pre-loading the CRL every 2 hours, so they should have a recent copy of >> it whenever they need it; the problem is that the expiry lifetime of the >> CRL is 24 hours at best, which is why that is the maximum time you have >> to establish new SIC and install a new policy. >> >> There is no way to avoid using certificated-based authentication for >> internally-managed gateways, I believe. It is not an available option >> to use pre-shared secrets, except with externally-managed peers. >> >> >> Peter Addy <[email protected]> wrote: >> > >> > Thanks, now to add a further spin! What if the manager changed and sic >> > was established with another manager, would the vpns break instantly >> > or not until a new policy was pushed from the new manager? Basically I >> > assume there is no real way to keep a vpn intact and hardly any down >> > time if a ne manager was deployed changing the vpn from cert to pre >> > shared key, cheers >> > >> > >> > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: >> > >> > >Since we just recently had this happen to us on our network, I can >> > >confirm that this is exactly what happens. >> > > >> > >Certificate-based VPN's will fail within 24 hours due to the gateways' >> > >inability to load the CRL. >> > > >> > >Pre-shared secret VPN's will continue to operate, presumably >> > >indefinitely. >> > > >> > > >> > >Independent IT Consultant <[email protected]> wrote: >> > >> >> > >> It greatly depends on the *type* of VPN. If using certificates (such >> > >> as with Edges or other gateways that are centrally managed), then >> > >> the limiting factor is the CRL expiration on the ICA, which is, by >> > >> default, 24 hours. In this case, tunnels that can't validate their >> > >> certificates will fail after that CRL timeout period. Remember, >> > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours >> > >> after the SMC went down. With VPNs to external gateways using shared >> > >> secret, they may work indefinitely, but I wouldn't guarantee it. >> > >> >> > >> >> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> >> > >> wrote: >> > >> >> > >> > Curious, Does anyone know how long would vpn's continue to work if a >> > >> > smartcenter was down and not available for ? And if they do stop why >> > >> > is this so, or do they simply continue to run but changes not can be >> > >> > made until the manager was restored? Thanks > >-- >David DeSimone == Network Admin == [email protected] > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > >This email message is intended for the use of the person to whom it has been >sent, and may contain information that is confidential or legally protected. >If you are not the intended recipient or have received this message in error, >you are not authorized to copy, distribute, or otherwise use this message or >its attachments. Please notify the sender immediately by return e-mail and >permanently delete this message and any attachments. Verio, Inc. makes no >warranty that this email is error or virus free. Thank you. > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
