Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec security association (SA) lifetime mismatch

Can somebody tell me wht happens when the IPSEC SA lifetime mismatch happens in a VPN tunnel ? i tried creating a mismatch on two cisco routers but it worked without any problem. just wanted to confirm tht if theoritically it inflicts the IPSEC traffic in anyway ?

negotation happen when the lower lifetime expires , is it the case ?

i read tht the tunnel wont come up at all when there is a IPSEC mismatch but tht wasn't the case..

thanks

3 REPLIES
New Member

Re: ipsec security association (SA) lifetime mismatch

I believe that IKE/ISAKMP will negotiate the smallest lifetime value (seconds/bytes). U can easy check it by `show crypto isakmp sa detail` to see the lifetime value. Just execute `clear crypto isakmp` to ensure creating of fresh SA's .

Kind Regards,

Danail Petrov

Cisco Employee

Re: ipsec security association (SA) lifetime mismatch

Hi,

This is how it goes, when there are 2 routers with different IPSEC SA lifetimes, then the tunnel would only come up if it is initiated from the end with higher lifetime configured. If you initiate the tunnel from the lower lifetime end, it should not come up. When the end with higher lifetime initiates the tunnel it is capable of setting its own lifetime to what is configured on the other end but not vice versa.

Once the tunnel is up as per the lower lifetime, when it renegotites, ideally it should not be successful. The reason is the IPSEC SA would still exist on the end with higer lifetime whereas the SAs are expired on the other end so you should see errors in the debugs.

This is the reason having the same lifetime is recommended.

HTH,

Please rate if it helps.

Regards,

Kamal

New Member

Re: ipsec security association (SA) lifetime mismatch

Ok. Did a thorough testing on the lifetimes.

It doesn't matter from which end we initiate the traffic, both ends always negotiate the lower lifetime automatically. This applies for both IPSEC and ISAKMP lifetimes.

Did the testing on ver 12.3 (22).

Theoritically what Kamal says is correct but somehow it doesnt happen that way practically, strange.

Thanks everybody.

5931
Views
0
Helpful
3
Replies