cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
3
Replies

can't get longer isakmp lifetimes

tato386
Level 6
Level 6

I want to set a long isakmp lifetime on tunnels running between a PIX and an IOS router. I set "isakmp policy 1 lifetime 86400" on the PIX and "lifetime 86400" under the isakmp policy on the IOS router. However, when the IOS routers establish a tunnel they only get a 3600 second lifetime. I tested with a PIX-to-PIX and they did establish a 86400 second tunnel. Do I have to do something extra to the routers?

Thanks,

Diego

3 Replies 3

j.beckner
Level 1
Level 1

Diego,

I stopped by this forum to look for an answer to a problem I'm having regarding IPSEC SA lifetimes on an IOS router, and just read up about an hour ago on this in the Cisco Documentation. The 3600 seconds you get is the IPSEC SA lifetime which is different than the isakmp liftetime. The command on the IOS router from global config is: "crypto ipsec security-association lifetime seconds 86400" This is for the IOS router I don't know what the command is on the PIX.

Hope this helps,

Joe

It sure looks like something that I ought to try.

Thanks!

Diego

By default, on Cisco routers the ISAKMP lifetime is 86400 secs and the IPSec lifetime 3600 secs. For proper working of VPN, both the values should be adjusted judiciously depending on your business scenarios. It is advisable to have IPSec SA lifetime less than or equal to ISAKMP lifetime to avoid tearing down of the VPN tunnels frequently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: