Phase 1 - not negotiating properly?

Unanswered Question
Apr 12th, 2010
User Badges:

I have a couple of VPN endpoints negotiationg 28800 lifetime, and some 86400 (default).  One site, however, is configured with only one policy (86400) but negotiating at 28800.  Shouldn't it pick up policy 2 instead?  I know that between Cisco devices, the lower lifetime is used, but why are some picking up 86400 and some not?


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 04/12/2010 - 07:04
User Badges:
  • Green, 3000 points or more

Hi,


If you have both sites with the default phase 1 lifetime, that's what they will negotiate.

If both sites have 28800, that's what they will negotiate.


You're correct in that the lowest lifetime will be negotiated.

This applies to the sequence of the isakmp policies.


For instance,

Any router negotiating with this particular router, will negotiate a phase 1 lifetime of 28800 unless having configured the 86400 value in which case will match policy 2


Federico.

droeun141 Mon, 04/12/2010 - 07:06
User Badges:

That's the thing though, one site has only 1 policy with 86400 and is picking up the 28800.

Federico Coto F... Mon, 04/12/2010 - 07:09
User Badges:
  • Green, 3000 points or more

But on that site with a single policy, do you see the policy like this:


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 86400


Or like this:


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


The difference is if the lifetime is hardcoded.


If this site has the first policy it should negotiate policy 2, but if it has the second policy it will go for policy 1.


Federico.

droeun141 Mon, 04/12/2010 - 07:18
User Badges:

I tried to hardcode it on my end just to see, but it still shows up the same because it's default.


The remote site looks like this:


crypto isakmp policy 1

encr 3des

authentication pre-share

group  2

Federico Coto F... Mon, 04/12/2010 - 07:30
User Badges:
  • Green, 3000 points or more

I think I was confused.


I believe that a policy if it matches the encryption, hash, authentication and D-H group, it will then negotiate the lowest lifetime.

I think now that is normal behavior what you're seeing.


Federico.

droeun141 Mon, 04/12/2010 - 07:39
User Badges:

That's the way I understood it, but I'm just confused why some pick up 86400 ?

Federico Coto F... Mon, 04/12/2010 - 07:43
User Badges:
  • Green, 3000 points or more

The other devices that pick up the default 86400 match the all the values for the first policy? (encryption, hash, authentication and D-H).


Federico.

Actions

This Discussion