Hello All:
I am seeing a difference in behavior on the J4350 vs. the SRX240 for the IKE key lifetime negotiation for IPsec phase 1. In both cases the peer is a Cisco 1841. Please see outputs below. Has anyone else run into this? I would expect that it ought to take the lower lifetime value as it does on the SRX240. BTW, Im running Junos 10.4R4.5 on both Juniper routers. On the SRX I saw what I expected to see, which is that the negotiated value is the lesser of the two if they do not match: SRX240 [edit] Devin@SRX240-1# show security ike proposal testikeprop authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; [edit] Devin@SRX240-1# run show security ike security-associations detail IKE peer 10.10.3.89, Index 7707821, Role: Initiator, State: UP Initiator cookie: ed10b684f40a71d2, Responder cookie: 3c2a1fb09e701c34 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.10.3.93:500, Remote: 10.10.3.89:500 Lifetime: Expires in 28795 seconds Peer ike-id: 10.10.3.89 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 688 Output bytes : 880 Input packets: 4 Output packets: 5 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 1851437682 Local: 10.10.3.93:500, Remote: 10.10.3.89:500 Local identity: ipv4_subnet(any:0,[0..7]=10.100.9.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24) Flags: Caller notification sent, Waiting for done Cisco 1841 crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 C1841-2#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit C1841-2#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1156 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 0 D Engine-id:Conn-id = ??? (deleted) 1155 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 07:59:34 D Engine-id:Conn-id = SW:155 With the J4350 in place of the SRX240 with the same configuration as shown for the SRX240 and same configuration as shown for the Cisco 1841, I see: J4350 [edit] Devin@J4350-1# show security ike proposal testikeprop ß No lifetime configured so should use default of 28800 authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; [edit] Devin@J4350-1# Devin@J4350-1> show security ike security-associations detail IKE peer 10.10.3.89, Index 4833153, Role: Responder, State: UP Initiator cookie: b4443ecf19364ac2, Responder cookie: 7c741a4fcb0f5558 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.10.3.85:500, Remote: 10.10.3.89:500 Lifetime: Expires in 86321 seconds Peer ike-id: 10.10.3.89 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 864 Output bytes : 1092 Input packets: 5 Output packets: 5 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 931695683 Local: 10.10.3.85:500, Remote: 10.10.3.89:500 Local identity: ipv4_subnet(any:0,[0..7]=10.100.11.0/24) Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24) Flags: Caller notification sent, Waiting for done Cisco 1841 C1841-2#sho crypto isa sa det Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 0 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 0 D Engine-id:Conn-id = ??? 1237 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 23:59:19 D Engine-id:Conn-id = SW:237 C1841-2#sho crypto isa pol Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Thanks, Devin _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp