08-19-2008 06:22 AM - edited 02-21-2020 03:53 PM
Hi,
Can someone please tell me what's the default idle timeout on IPSEC tunnels. My problem is I have a tunnel created on a 7206 I need to check what's the idle timeout settings on the box.
Regards,
Anuradha.
Solved! Go to Solution.
08-20-2008 02:01 AM
The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:
"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.
IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).
If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.
When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.
The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"
Regards
Farrukh
08-19-2008 12:31 PM
By default there is no idle timeout for phase 2. Its unlimited.
Have a look at this:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html#wp1032378
Regards
Farrukh
08-20-2008 01:03 AM
Hi Farrukh,
Thanks for the quick reply. Can you please let me know whether "lifetime" settings would act as a time out. My impression was once the lifetime run out, it will renegotiate a new key rather than tearing the tunnel down. Is this correct?
Thanks,
Anuradha.
08-20-2008 02:01 AM
The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:
"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.
IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).
If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.
When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.
The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"
Regards
Farrukh
08-20-2008 02:16 AM
Thanks a lot for the detailed explanation Farrukh. Have a better idea now.
Regards,
Anuradha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide