Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC Concepts Clarifications

Hi folks -

I've been reading up on IPSEC and understand most of the concepts, but there are a few for which I am still a little unsure. I would appreciate if I could get a little more clarification on the concepts below.

1.) IPSEC over TCP versus IPSEC over UDP. From what I know, TCP option encapsulates the IPSEC packet using TCP and the UDP option encapsulates the IPSEC packet using UDP. TCP by default uses port 10000 and UDP uses port 4500. But what are the benefits of using TCP as opposed to using UDP? I know TCP is more reliable than UDP, but is that the only benefit?

2.) When you specify ISAKMP phase 1 parameters for a VPN tunnel, what is the purpose of the "group" setting? Also, howcome there is no group setting for phase 2?

3.) Lifetime setting for ISAKMP phase 1 parameters. By default, lifetime setting is 86400 seconds (24 hrs.). So does this mean that the SA will be up for 24 hours even if there is no interesting traffic being sent across the tunnel? If I configure the cryptop isakmp keepalive for 300 seconds (5 min), and no response is received within 5 minutes, does this mean the SA will be teared down?

Thanks for your help.


Re: IPSEC Concepts Clarifications

ovt Bronze

Re: IPSEC Concepts Clarifications

1. Don't think of it too much ;) Always try to use UDP (Nat-t), then TCP if it doesn't work fo some weird reason.

2. This describes "the strength" of the DF key agreement. Phase 2 DH group is specified via "set pfs groupX" command (PFS is NOT recommended).

3. Yes and Yes. Also, you can configure an idle timer:

crypto map mymap 10 ipsec-isakmp

set security-association idletime seconds

CreatePlease login to create content