Hi, Any idea on this certificate question, thanks On Tue, 31 May 2011 17:52 BST Peter Addy wrote:
>Thanks, would I be correct in saying that you cannot use the same vpn >certificate for the same vpn, where only the manager smart centre is changing? > >On Tue, 24 May 2011 17:28 BST David DeSimone wrote: > >>Gary Scott <[email protected]> wrote: >>> >>> VPN's would break right away, as soon as you reset SIC the initial policy >>> is >>> loaded >> >>One presumes that you would not reset SIC until you are just about to >>install the new policy. >> >> >>> ________________________________ >>> From: David DeSimone <[email protected]> >>> To: [email protected] >>> Sent: Tue, May 24, 2011 8:55:28 AM >>> Subject: Re: [FW-1] vpn and manager >>> >>> VPN's would not break right away. The gateways are in the habit of >>> pre-loading the CRL every 2 hours, so they should have a recent copy of >>> it whenever they need it; the problem is that the expiry lifetime of the >>> CRL is 24 hours at best, which is why that is the maximum time you have >>> to establish new SIC and install a new policy. >>> >>> There is no way to avoid using certificated-based authentication for >>> internally-managed gateways, I believe. It is not an available option >>> to use pre-shared secrets, except with externally-managed peers. >>> >>> >>> Peter Addy <[email protected]> wrote: >>> > >>> > Thanks, now to add a further spin! What if the manager changed and sic >>> > was established with another manager, would the vpns break instantly >>> > or not until a new policy was pushed from the new manager? Basically I >>> > assume there is no real way to keep a vpn intact and hardly any down >>> > time if a ne manager was deployed changing the vpn from cert to pre >>> > shared key, cheers >>> > >>> > >>> > On Tue, 24 May 2011 01:34 BST David DeSimone wrote: >>> > >>> > >Since we just recently had this happen to us on our network, I can >>> > >confirm that this is exactly what happens. >>> > > >>> > >Certificate-based VPN's will fail within 24 hours due to the gateways' >>> > >inability to load the CRL. >>> > > >>> > >Pre-shared secret VPN's will continue to operate, presumably >>> > >indefinitely. >>> > > >>> > > >>> > >Independent IT Consultant <[email protected]> wrote: >>> > >> >>> > >> It greatly depends on the *type* of VPN. If using certificates (such >>> > >> as with Edges or other gateways that are centrally managed), then >>> > >> the limiting factor is the CRL expiration on the ICA, which is, by >>> > >> default, 24 hours. In this case, tunnels that can't validate their >>> > >> certificates will fail after that CRL timeout period. Remember, >>> > >> it's 24 hours after the last CRL refresh, not necessarily 24 hours >>> > >> after the SMC went down. With VPNs to external gateways using shared >>> > >> secret, they may work indefinitely, but I wouldn't guarantee it. >>> > >> >>> > >> >>> > >> On Mon, May 23, 2011 at 12:45 PM, Peter Addy <[email protected]> >>> > >> wrote: >>> > >> >>> > >> > Curious, Does anyone know how long would vpn's continue to work if a >>> > >> > smartcenter was down and not available for ? And if they do stop why >>> > >> > is this so, or do they simply continue to run but changes not can be >>> > >> > made until the manager was restored? Thanks >> >>-- >>David DeSimone == Network Admin == [email protected] >> "I don't like spinach, and I'm glad I don't, because if I >> liked it I'd eat it, and I just hate it." -- Clarence Darrow >> >> >>This email message is intended for the use of the person to whom it has been >>sent, and may contain information that is confidential or legally protected. >>If you are not the intended recipient or have received this message in error, >>you are not authorized to copy, distribute, or otherwise use this message or >>its attachments. Please notify the sender immediately by return e-mail and >>permanently delete this message and any attachments. Verio, Inc. makes no >>warranty that this email is error or virus free. Thank you. >> >>Scanned by Check Point Total Security Gateway. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [email protected] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[email protected] >>================================================= > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
