Crypto ipsec transform-set

Unanswered Question
Dec 12th, 2011


  I have a Cisco linux client which always breaks after 15:26 minutes. I am suspeciaos that the problem is in crypto ipsec transform-set.

This is the configuration:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Can I add more transform sets to test is this the problem?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajay chauhan Mon, 12/12/2011 - 03:23

Transform set does not have to deal with time out period. There is always setting for SA phase 1 and phase 2 Life Time.

If leave on default then phase 1 is going to be 24 Hrs and phase 2 is going to be 28000 seconds. There is another thing which is called idle /session time out value default is 30 Mins.

If all is set on default then i would suggest to look at logs of firewall. Also status of other VPN clients to see if all are getting disconnect or just one which is on Linux.

Enter the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none

Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none



derleader111 Mon, 12/12/2011 - 03:42

Yes, but I thing that the configuration that you posted is for ASA device.

I have a Cisco 1841 router with  IOS 15.1 as VPN server?

How I must configure it?

ajay chauhan Mon, 12/12/2011 - 03:59

Frist of all I would say run these command to check what is configured -

#show crypto isakmp policy

Changing SA life time for phase 1- Need to add lifetime command with value at last.

crypto isakmp policy 15

hash md5

authentication rsa-sig

group 2

lifetime 5000

Changing SA life time for phase 2-

crypto ipsec security-association lifetime seconds



derleader111 Mon, 12/12/2011 - 04:33

Cisco#show crypto isakmp policy

Global IKE policy

Protection suite of priority 1

    encryption algorithm:    Three key triple DES

    hash algorithm:        Message Digest 5

    authentication method:    Pre-Shared Key

    Diffie-Hellman group:    #2 (1024 bit)

    lifetime:        86400 seconds, no volume limit

ps. I use Centos 5.7 and VPN client 4.8.

Is it possible that the problem is in the VPN client?

I have a Centos server with VPNC client who is 24 hours connected.


This Discussion