06-20-2003 05:05 PM - edited 03-09-2019 03:45 AM
I want to set a long isakmp lifetime on tunnels running between a PIX and an IOS router. I set "isakmp policy 1 lifetime 86400" on the PIX and "lifetime 86400" under the isakmp policy on the IOS router. However, when the IOS routers establish a tunnel they only get a 3600 second lifetime. I tested with a PIX-to-PIX and they did establish a 86400 second tunnel. Do I have to do something extra to the routers?
Thanks,
Diego
06-20-2003 05:27 PM
Diego,
I stopped by this forum to look for an answer to a problem I'm having regarding IPSEC SA lifetimes on an IOS router, and just read up about an hour ago on this in the Cisco Documentation. The 3600 seconds you get is the IPSEC SA lifetime which is different than the isakmp liftetime. The command on the IOS router from global config is: "crypto ipsec security-association lifetime seconds 86400" This is for the IOS router I don't know what the command is on the PIX.
Hope this helps,
Joe
06-20-2003 06:39 PM
It sure looks like something that I ought to try.
Thanks!
Diego
06-21-2003 03:02 AM
By default, on Cisco routers the ISAKMP lifetime is 86400 secs and the IPSec lifetime 3600 secs. For proper working of VPN, both the values should be adjusted judiciously depending on your business scenarios. It is advisable to have IPSec SA lifetime less than or equal to ISAKMP lifetime to avoid tearing down of the VPN tunnels frequently.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide