Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about IPSec SA lifetime

Hi All,

I am confused about the lifetime. From some book, they said you should keep two peer's lifetime at exact same, otherwise you can't establish the tunnel. But I saw another book said you can use different lifetime (time interval and/or byte count), two peers will choose the lower one.

Please help me out. Thanks in advance.

Banlan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Question about IPSec SA lifetime

There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).

With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.

With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.

1 REPLY
Cisco Employee

Re: Question about IPSec SA lifetime

There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).

With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.

With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.

111
Views
4
Helpful
1
Replies
CreatePlease login to create content