Description

This article explains the meaning of the log message 'IPsec phase1 SA deleted' and how it assists in understanding the process of IPsec VPN negotiation. The log entry provides key insights into the deletion of a Phase 1 Security Association (SA) during the rekeying process, which is essential for secure and reliable VPN management.

The following is an example of the log message:

logid="0101037134" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"

This log indicates that the Phase 1 SA used to encrypt and authenticate the IPsec VPN tunnel between the local and remote devices has triggered the re-negotiation of a new SA. After creating a new SA,old SA is deleted with the message 'delete IPsec phase 1 SA.

This process is part of maintaining the security of the VPN tunnel and ensuring that new encryption keys are exchanged.

Scope

FortiGate.

Solution

Meaning of the 'IPsec Phase1 SA Deleted' Log Message:

The deletion of the Phase 1 SA is part of the rekeying process. The log message confirms that the VPN tunnel’s existing SA has been removed to allow a new SA to be negotiated. This is a common practice in IPsec VPNs to refresh encryption keys or when SA lifetimes expire. The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection.

Sample Logs:

Cookies: Unique identifiers that track the SA negotiation and session. 

Rekeying and Key Lifetime:

• Time-Based Rekeying: Using a time-based rekeying process ensures that the VPN tunnel remains secure, with new keys generated at regular intervals, minimizing exposure to cryptographic attacks. The default key lifetime for Phase 1 is 24 hours, or 86400 seconds, and Phase 2 is 12 hours, or 43200 seconds.
• Traffic-Based Rekeying: Rekeying based on traffic volumes (in kilobytes) is another method, but it is typically less common due to performance overheads when managing large volumes of data.

Impact of the Message:

• Normal Operation: This message is part of the normal operation of IPsec VPNs. Deleting an old SA and negotiating a new SA ensures that encryption keys are rotated periodically, maintaining the tunnel’s security.
• Security: Rekeying helps prevent security issues like ESP sequence number exhaustion, ensuring ongoing protection of the encrypted data within the tunnel.
• Action Required: In general, no manual intervention is required. However, if frequent SA deletions occur without successful renegotiation, it may indicate issues with the VPN configuration that should be addressed.

Conclusion:

The log message 'IPsec phase1 SA deleted' is a crucial indicator in VPN management. It signals the rekeying process that refreshes the security association, ensuring ongoing encryption and security. Monitoring these logs can help administrators maintain a secure and reliable VPN infrastructure.

Note: Rekeying is designed to be seamless and non-disruptive. If phase1 is going down, it could be mainly because of the lifetime settings mismatch, if one side does not support rekeying, or a NAT device blocks the negotiation.