Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17574
Views
10
Helpful
4
Replies

IPSEC Idle timeout

Go to solution
dlwanuradha
Level 1
Level 1

‎08-19-2008 06:22 AM - edited ‎02-21-2020 03:53 PM

Hi,

Can someone please tell me what's the default idle timeout on IPSEC tunnels. My problem is I have a tunnel created on a 7206 I need to check what's the idle timeout settings on the box.

Regards,

Anuradha.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dlwanuradha

‎08-20-2008 02:01 AM

The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:

"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.

IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"

Regards

Farrukh

View solution in original post

4 Replies 4

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-19-2008 12:31 PM

By default there is no idle timeout for phase 2. Its unlimited.

Have a look at this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html#wp1032378

Regards

Farrukh

0 Helpful

Go to solution
dlwanuradha
Level 1
Level 1
In response to Farrukh Haroon

‎08-20-2008 01:03 AM

Hi Farrukh,

Thanks for the quick reply. Can you please let me know whether "lifetime" settings would act as a time out. My impression was once the lifetime run out, it will renegotiate a new key rather than tearing the tunnel down. Is this correct?

Thanks,

Anuradha.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dlwanuradha

‎08-20-2008 02:01 AM

The timeout is meant to maintain the security of a VPN connection. After the said time the keys etc are regenerated to reduce the impact of anybody discovering them during the active lifetime of the keying material. If PFS (Perfect Forward Secrect) is used these concerns are further reduced. The SAs are reestablished a little before the timeout so that there is no downtime. This is per the Cisco ASA Configuration Guide:

"You can change the global lifetime values that the security appliance uses when negotiating new IPSec SAs. You can override these global lifetime values for a particular crypto map.

IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the security appliance requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains"

Regards

Farrukh

Go to solution
dlwanuradha
Level 1
Level 1
In response to Farrukh Haroon

‎08-20-2008 02:16 AM

Thanks a lot for the detailed explanation Farrukh. Have a better idea now.

Regards,

Anuradha

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents