Solved: changing the IPSEC sa lifetime

lgontarsk · ‎01-10-2008

Hi,

If I use the

crypto IPSEC security-association lifetime command, doesn't that hold for all clients? I'm trying to change it only for one IPSEC sa and i don't want to interrupt any other already existing VPN clients.

is there a way to set it for just one client?

Thanks!

Lisa G

srue · ‎01-10-2008

you can change it under the crypto map configuration for each individual connection. since you didn't state what device your vpn's are terminated on though, i can't give you a specific example.

the command you gave is global, for which there exists a default lifetime already. 'local' lifetimes for individual crypto maps override this value.

also, if two peers differ in their lifetimes during negotiation, they are 'supposed' to choose the smallest value, but still connect.

View solution in original post

srue · ‎01-10-2008

you can change it under the crypto map configuration for each individual connection. since you didn't state what device your vpn's are terminated on though, i can't give you a specific example.

the command you gave is global, for which there exists a default lifetime already. 'local' lifetimes for individual crypto maps override this value.

also, if two peers differ in their lifetimes during negotiation, they are 'supposed' to choose the smallest value, but still connect.