Lifetime parameter in VPN

Unanswered Question
Aug 21st, 2008


I have following query:

Is the lifetime parameter setting should be identical on both side firewall for both Phase-1 and Phase-2? or it can be different?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Thu, 08/21/2008 - 05:05

not must identical but better, When this lifetime expires, the IPsec peers renegotiate IKE phase 1

Many people choose to leave the IKE SA lifetime at the default value of 86400. It is worth noting, however, that the longer the lifetime, the less secure the SA is. The SA is less secure with a longer lifetime because with a longer lifetime an attacker has more time to collect encrypted traffic and subject it to cryptanalysis (attempt to recover the plaintext). However, a shorter IKE lifetime causes IPsec peers to have to renegotiate IKE more often

please, if helpful Rate

prichetakashyap Thu, 08/21/2008 - 23:08

thanks for the detail but do the re-negotiation affects running ipsec-tunnel? that if tunnel disconnects?


mahesh18 Sun, 08/18/2013 - 12:55

Hi Marwanshawi,

I was looking for same info which you answered here.




This Discussion