Tunnel in ipsec vpn during idle time

Unanswered Question
Giuseppe Larosa Mon, 12/28/2009 - 00:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alsayed,

as in routers the security associations SA have a lifetime based on two factors: time and traffic volume.


IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).


Be aware that extending the lifetime exposes to security risk so it is not recommended.

the best way would be to have a GRE tunnel encapsulated in IPSec on the ASA originated and terminated on routers with a routing protocol running on it and high metric so that is not used until primary path is active.

R1 ---- ASA1 ---------------------------- ASA2 --- R2

Hope to help



This Discussion