Tunnel in ipsec vpn during idle time

Unanswered Question
Giuseppe Larosa Mon, 12/28/2009 - 00:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alsayed,

as in routers the security associations SA have a lifetime based on two factors: time and traffic volume.


see

IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).


https://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042781


Be aware that extending the lifetime exposes to security risk so it is not recommended.

the best way would be to have a GRE tunnel encapsulated in IPSec on the ASA originated and terminated on routers with a routing protocol running on it and high metric so that is not used until primary path is active.


R1 ---- ASA1 ---------------------------- ASA2 --- R2


Hope to help

Giuseppe

Actions

This Discussion