IPSEC Concepts Clarifications

Unanswered Question
Nov 5th, 2008

Hi folks -

I've been reading up on IPSEC and understand most of the concepts, but there are a few for which I am still a little unsure. I would appreciate if I could get a little more clarification on the concepts below.

1.) IPSEC over TCP versus IPSEC over UDP. From what I know, TCP option encapsulates the IPSEC packet using TCP and the UDP option encapsulates the IPSEC packet using UDP. TCP by default uses port 10000 and UDP uses port 4500. But what are the benefits of using TCP as opposed to using UDP? I know TCP is more reliable than UDP, but is that the only benefit?

2.) When you specify ISAKMP phase 1 parameters for a VPN tunnel, what is the purpose of the "group" setting? Also, howcome there is no group setting for phase 2?

3.) Lifetime setting for ISAKMP phase 1 parameters. By default, lifetime setting is 86400 seconds (24 hrs.). So does this mean that the SA will be up for 24 hours even if there is no interesting traffic being sent across the tunnel? If I configure the cryptop isakmp keepalive for 300 seconds (5 min), and no response is received within 5 minutes, does this mean the SA will be teared down?

Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

1. Don't think of it too much ;) Always try to use UDP (Nat-t), then TCP if it doesn't work fo some weird reason.

2. This describes "the strength" of the DF key agreement. Phase 2 DH group is specified via "set pfs groupX" command (PFS is NOT recommended).

3. Yes and Yes. Also, you can configure an idle timer:

crypto map mymap 10 ipsec-isakmp

set security-association idletime seconds


This Discussion