Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2604
Views
0
Helpful
1
Replies

ISAKMP vs IPSec SA lifetimes

rj.remien
Level 1
Level 1

‎05-31-2003 02:20 PM - edited ‎02-21-2020 12:34 PM

I have a hub and spoke VPN. I noticed that when I had a ISAKMP SA of 1000 sec and an IPSec SA of 8 hours, the tunnel would stop passing traffic at random intervals. The ISAKMP SA did not exist in the output from "sh cry isa sa". I then would have to execute "clear cry isa" and "clear cry sa" to resume traffic flow. With the help of the TAC, I set the ISAKMP SA to a longer lifetime than the IPSec SA. SInce then, I have not had any tunnel drops.

1. Why must the ISAKMP SA lifetime be longer than the IPSec SA?

2. What causes traffic to stop flowing?

3. Does an ISAKMP SA have to be present to have traffic flowing through an IPSec tunnel?

Thanks for all answers.

RJ

Labels:
0 Helpful
1 Reply 1

mnaveen
Level 1
Level 1

‎06-01-2003 08:20 PM

Hi RJ,

I hope you agree that ISAKMP is used as Phase-1 negotiation during the set-up of VPN and is used for key exchange process. What happens is once the 2 parties agrees for ISAKMP parameters, an ISAKMP SA is created and a corresponding entry is made in the SADB (SA database). This SA has a lifetime that you specify during ISAKMP negotiation.

It is this Phase-1 negotiation that sets the stage for security protocols like IPSec to negotiate their parameters. Since the ISAKMP now has created an SA, all IPSec negotiation parameters go through this SA (which is secure) and eventually an IPSec SA is also created (This is Phase-2). Whatever data you send now will be IPSec protected. Even the IPSec SAs have a lifetime. Whenever the lifetime of an IPSec SA is over, it will stop the user traffic, create a new IPSec SA again for the same lifetime that you gave during IPSec configuration and send the traffic again. What happens during this time, is the SA identification parameters are changed and they are correspondingly updated in the SADB.

This creation of a new IPSec SA will happen only if the ISAKMP SA is still intact. This is the reason why you should have the lifetime of an ISAKMP SA more than the lifetime of IPSec SA. The traffic will stop passing at the point when either their is an ISAKMP or IPSec negotiation is going on because of the lifetime getting expired. Hence an IPSec SA can expire many times before one expiry of ISAKMP SA. Hope its pretty clear now !!

To avoid traffic stoppage, give your ISAKMP lifetime and IPSec lifetime as high as possible but remember that ISAKMP's lifetime should be greater than that of IPSec's.

Cheers :-))

Naveen

mnaveen@cisco.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents