Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7158
Views
0
Helpful
3
Replies

IKEv1 policy/ Phase 1 lifetime matching rules on ASA (9.x)

tickermcse76
Level 1
Level 1

‎08-25-2016 05:29 AM

According to the documentation:

Note: An IKEv1 policy match exists when both of the policies from the two peers contain the same authentication,
encryption, hash, and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime
less than or equal to the lifetime in the policy that the initiator sends. If the lifetimes are not identical, then
the ASA uses the shorter lifetime.

Does the very last statement mean the ASA will effectively downgrade its policy lifetime value to match the remote peer for that specific connection only?

For example suppose I have the following policies (for simplicity all other settings match on both sides with lifetime being the only variable):

crypto ikev1 policy 10

lifetime 60

crypto ikev1 policy 20

lifetime 120

crypto ikev1 policy 30

lifetime 200

Suppose a remote peer has a lifetime setting of 100.  This would match policy 20.   Would the ASA "downgrade" its lifetime value to 100 only when communicating with this remote peer?  Or would there be a mismatch of 100 and 120; in which case a new policy needs to be created with lifetime 100?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

pjain2
Cisco Employee
Cisco Employee

‎08-25-2016 06:20 AM

yes the ASA will downgrade the lifetime to 100 when communicating with this remote peer. there is no mismatch in the lifetime.

when the tunnel comes up, in the "show crypto ipsec sa" you can check the lifetime it is using for that tunnel which is going to be the lowest value for the two configured ends.

0 Helpful

tickermcse76
Level 1
Level 1
In response to pjain2

‎08-25-2016 07:34 AM

yes the ASA will downgrade the lifetime to 100 when communicating with this remote peer. there is no mismatch in the lifetime.

Would that be true even for non-Cisco devices?  Have a situation where ASA is set for 24 hour lifetime, and remote peer is non-Cisco and set for 18 hours.  The tunnel resets every 6 hours, which is the difference in the lifetimes.                                                                                                                                                                                                                                                                                                

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to tickermcse76

‎08-25-2016 05:39 PM

yes it is true even for non cisco devices. the default phase 1 lifetime on ASA is 24 hours. the rekey will happen  using the phase 2 lifetime. please check for that on both the ends for the rekey timer.

0 Helpful
Customers Also Viewed These Support Documents