Hi RJ,
I hope you agree that ISAKMP is used as Phase-1 negotiation during the set-up of VPN and is used for key exchange process. What happens is once the 2 parties agrees for ISAKMP parameters, an ISAKMP SA is created and a corresponding entry is made in the SADB (SA database). This SA has a lifetime that you specify during ISAKMP negotiation.
It is this Phase-1 negotiation that sets the stage for security protocols like IPSec to negotiate their parameters. Since the ISAKMP now has created an SA, all IPSec negotiation parameters go through this SA (which is secure) and eventually an IPSec SA is also created (This is Phase-2). Whatever data you send now will be IPSec protected. Even the IPSec SAs have a lifetime. Whenever the lifetime of an IPSec SA is over, it will stop the user traffic, create a new IPSec SA again for the same lifetime that you gave during IPSec configuration and send the traffic again. What happens during this time, is the SA identification parameters are changed and they are correspondingly updated in the SADB.
This creation of a new IPSec SA will happen only if the ISAKMP SA is still intact. This is the reason why you should have the lifetime of an ISAKMP SA more than the lifetime of IPSec SA. The traffic will stop passing at the point when either their is an ISAKMP or IPSec negotiation is going on because of the lifetime getting expired. Hence an IPSec SA can expire many times before one expiry of ISAKMP SA. Hope its pretty clear now !!
To avoid traffic stoppage, give your ISAKMP lifetime and IPSec lifetime as high as possible but remember that ISAKMP's lifetime should be greater than that of IPSec's.
Cheers :-))
Naveen
mnaveen@cisco.com