If one end of an IPSEC vpn has a lifetime set to 28800 secs and the other end 3600 secs, what effect will this have on the connection? And why?
The Vpn establishes and runs okay but periodically drops out. I presume this SA Lifetime mis-match is the cause, but was just curious as to why? As my understanding was that even though the lifetimes are different they agree on the lower value anyway?
Your understanding of the IPSEC SA Lifetime is correct. If you have 3600 and 28800 has the IPSEC Lifetime between two peers, the smaller value will be considered for the SA and in your case 3600. And a new SA is negotiated 30 seconds before the lifetime (3600) expires. This should keep your traffic flowing across the tunnel without any issues.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...