Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regarding SA Lifetime

Dear Team,

1.Why there is a need for setting SA lifetime.

2.Whether SA will reset earlier if we have set an idle timeout for VPN tunnel.I mean if the VPN tunnel is idle for some amount of Time and if I have set the idletime out to be less than SA reset time..then will it wait for SA to reset OR the tunnel will get disconnected once the Idletime is reached.


Re: Regarding SA Lifetime

1) The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely. IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity). After deciding on the algorithms, the two devices must share session keys. As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session.

2) Lifetime of a Security Association: a time interval after

which an SA must be replaced with a new SA (and new SPI) or

should occur. This may be expressed as a time or byte count,

or a simultaneous use of both, the first lifetime to expire

taking precedence. Both initiator and responder are responsible for

constraining SA lifetime in this fashion.


New Member

Re: Regarding SA Lifetime

Dear Andrew,

Thanks a Lot.

1. But my question is why we set SA lifetime and what exactly we do in Reseting SA Lifetime(May be changing some keys).If we will not reset SA Lifetime periodically waht will happen.

Re: Regarding SA Lifetime

OK - in my original post there is a line that says "After deciding on the algorithms, the two devices must share session keys." So the SA keep a record of the session keys. The session keys are the ENCRYPTION KEYS, the encryption keys are used by both ends to encrypt and decrypt the VPN over the insuecure medium, the internet.

Just imagine if your SA never timed out - and the sessions keys stayed the same for ever. What if you used a weak encryption method or a hacked hash method to neogtiate the keys. To add to that just say that a man in the middle attack on your VPN connection at start up was performed and the encrypte keys were captured in transit.

This now means that a hacker has all the time in the world to crack the session encryption keys and get access to your network.

So apart from keeping track of all the keys, settings and timers etc. The SA offers an extra layer of security ensuring the encryption keys are renegotiated in a time period to make sure the VPN stays secure.


CreatePlease to create content