Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

can't get longer isakmp lifetimes

I want to set a long isakmp lifetime on tunnels running between a PIX and an IOS router. I set "isakmp policy 1 lifetime 86400" on the PIX and "lifetime 86400" under the isakmp policy on the IOS router. However, when the IOS routers establish a tunnel they only get a 3600 second lifetime. I tested with a PIX-to-PIX and they did establish a 86400 second tunnel. Do I have to do something extra to the routers?

Thanks,

Diego

3 REPLIES
Community Member

Re: can't get longer isakmp lifetimes

Diego,

I stopped by this forum to look for an answer to a problem I'm having regarding IPSEC SA lifetimes on an IOS router, and just read up about an hour ago on this in the Cisco Documentation. The 3600 seconds you get is the IPSEC SA lifetime which is different than the isakmp liftetime. The command on the IOS router from global config is: "crypto ipsec security-association lifetime seconds 86400" This is for the IOS router I don't know what the command is on the PIX.

Hope this helps,

Joe

Community Member

Re: can't get longer isakmp lifetimes

It sure looks like something that I ought to try.

Thanks!

Diego

Community Member

Re: can't get longer isakmp lifetimes

By default, on Cisco routers the ISAKMP lifetime is 86400 secs and the IPSec lifetime 3600 secs. For proper working of VPN, both the values should be adjusted judiciously depending on your business scenarios. It is advisable to have IPSec SA lifetime less than or equal to ISAKMP lifetime to avoid tearing down of the VPN tunnels frequently.

174
Views
0
Helpful
3
Replies
CreatePlease to create content