IPSEC Idle timeout

Answered Question
Aug 19th, 2008

Hi,

Can someone please tell me what's the default idle timeout on IPSEC tunnels. My problem is I have a tunnel created on a 7206 I need to check what's the idle timeout settings on the box.

Regards,

Anuradha.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 3 months ago

The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:

"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.

IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
dlwanuradha Wed, 08/20/2008 - 01:03

Hi Farrukh,

Thanks for the quick reply. Can you please let me know whether "lifetime" settings would act as a time out. My impression was once the lifetime run out, it will renegotiate a new key rather than tearing the tunnel down. Is this correct?

Thanks,

Anuradha.

Correct Answer
Farrukh Haroon Wed, 08/20/2008 - 02:01

The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:

"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.

IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"

Regards

Farrukh

dlwanuradha Wed, 08/20/2008 - 02:16

Thanks a lot for the detailed explanation Farrukh. Have a better idea now.

Regards,

Anuradha

Actions

This Discussion