×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

can't get longer isakmp lifetimes

Unanswered Question
Jun 20th, 2003
User Badges:

I want to set a long isakmp lifetime on tunnels running between a PIX and an IOS router. I set "isakmp policy 1 lifetime 86400" on the PIX and "lifetime 86400" under the isakmp policy on the IOS router. However, when the IOS routers establish a tunnel they only get a 3600 second lifetime. I tested with a PIX-to-PIX and they did establish a 86400 second tunnel. Do I have to do something extra to the routers?


Thanks,

Diego

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j.beckner Fri, 06/20/2003 - 17:27
User Badges:

Diego,

I stopped by this forum to look for an answer to a problem I'm having regarding IPSEC SA lifetimes on an IOS router, and just read up about an hour ago on this in the Cisco Documentation. The 3600 seconds you get is the IPSEC SA lifetime which is different than the isakmp liftetime. The command on the IOS router from global config is: "crypto ipsec security-association lifetime seconds 86400" This is for the IOS router I don't know what the command is on the PIX.


Hope this helps,

Joe


DIEGO ALONSO Fri, 06/20/2003 - 18:39
User Badges:

It sure looks like something that I ought to try.


Thanks!


Diego

mnaveen Sat, 06/21/2003 - 03:02
User Badges:

By default, on Cisco routers the ISAKMP lifetime is 86400 secs and the IPSec lifetime 3600 secs. For proper working of VPN, both the values should be adjusted judiciously depending on your business scenarios. It is advisable to have IPSec SA lifetime less than or equal to ISAKMP lifetime to avoid tearing down of the VPN tunnels frequently.

Actions

This Discussion