cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2509
Views
0
Helpful
4
Replies

Crypto ipsec transform-set

derleader111
Level 1
Level 1

Hi,

  I have a Cisco linux client which always breaks after 15:26 minutes. I am suspeciaos that the problem is in crypto ipsec transform-set.

This is the configuration:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Can I add more transform sets to test is this the problem?

Regards

4 Replies 4

ajay chauhan
Level 7
Level 7

Transform set does not have to deal with time out period. There is always setting for SA phase 1 and phase 2 Life Time.

If leave on default then phase 1 is going to be 24 Hrs and phase 2 is going to be 28000 seconds. There is another thing which is called idle /session time out value default is 30 Mins.

If all is set on default then i would suggest to look at logs of firewall. Also status of other VPN clients to see if all are getting disconnect or just one which is on Linux.

Enter the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none

Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none

Thanks

Ajay

Yes, but I thing that the configuration that you posted is for ASA device.

I have a Cisco 1841 router with  IOS 15.1 as VPN server?

How I must configure it?

Frist of all I would say run these command to check what is configured -

#show crypto isakmp policy

Changing SA life time for phase 1- Need to add lifetime command with value at last.

crypto isakmp policy 15

hash md5

authentication rsa-sig

group 2

lifetime 5000

Changing SA life time for phase 2-

crypto ipsec security-association lifetime seconds

Thanks

Ajay

Cisco#show crypto isakmp policy

Global IKE policy

Protection suite of priority 1

    encryption algorithm:    Three key triple DES

    hash algorithm:        Message Digest 5

    authentication method:    Pre-Shared Key

    Diffie-Hellman group:    #2 (1024 bit)

    lifetime:        86400 seconds, no volume limit

ps. I use Centos 5.7 and VPN client 4.8.

Is it possible that the problem is in the VPN client?

I have a Centos server with VPNC client who is 24 hours connected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: