Rebuild time VPN connection after maintenance internet router

Raymond
Raymond Posts: 19  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
We have many customers (more than 7) using a ZyWALL 110 to establish a IPSec VPN connection to our company. These are VPN client to side connections. See drawing below.
 
Now we had to do some maintenance to our Internet router and now all the VPN connections to our customers are lost. When we wait 24 hours (86400 sec.), all the VPN connections are established again, but this is to long for us.

How can I reduce the time, so all the VPN connections are working again?
Is this to reduce the Phase 2 SA Life Time of our ZyWALL or do I have to change this value at all the customers?
Is it possible to reduce the SA Life Time to 900 sec. or is this not a good idea? Or is there a better setting to reestablish the VPN connection again?



All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Raymond
    Regarding to this case,

    you can Check “Nailed up” on VPN connection page, therefore, the device(Client role) will initiate VPN session immediately once the network access is back.


  • Raymond
    Raymond Posts: 19  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @Zyxel_Charlie
    I checked several VPN clients and at all this option is activated, but is still takes 24 hours at max when all the VPN's are up again.

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    @Raymond
    Here the recommends,
    1. The Phase 1 life time great than phase 2 (phase 1-1 day:86400 secs., phase 2-:1 hr: 3600 secs.)
         IKE phase I is more processor intensive than IKE phase II, since the Diffie-Hellman keys have to be produced and the peers authenticated each time.
    For this reason, IKE phase I is performed less frequently. However, the IKE SA is only valid for a certain period, after which the IKE SA must be renegotiated.
    The IPSec SA is valid for an even shorter period, meaning many IKE phase II's take place.
    Reference:
    https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13847.htm
    https://forums.juniper.net/t5/SRX-Services-Gateway/IKE-life-time-VS-IPSEC-life-time/td-p/140937

    2. Set up Connectivity Check in Phase 2 of each remote client
    Once the connectivity check fail. The client side will auto disconnect and re-negotiate IKE with the server side.
    This is a event trigger action which is fast than lifetime timeout.

  • Raymond
    Raymond Posts: 19  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @zyman2008
    Thanks, are there some setup recommendations for the Connectivity check?
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    On Connectivity check, I use ICMP as method ,and default value for others.

  • Raymond
    Raymond Posts: 19  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @Jeremylin
    Thanks.

Security Highlight