cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
7
Replies

Phase 1 - not negotiating properly?

droeun141
Level 1
Level 1

I have a couple of VPN endpoints negotiationg 28800 lifetime, and some 86400 (default).  One site, however, is configured with only one policy (86400) but negotiating at 28800.  Shouldn't it pick up policy 2 instead?  I know that between Cisco devices, the lower lifetime is used, but why are some picking up 86400 and some not?

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

7 Replies 7

Hi,

If you have both sites with the default phase 1 lifetime, that's what they will negotiate.

If both sites have 28800, that's what they will negotiate.

You're correct in that the lowest lifetime will be negotiated.

This applies to the sequence of the isakmp policies.

For instance,

Any router negotiating with this particular router, will negotiate a phase 1 lifetime of 28800 unless having configured the 86400 value in which case will match policy 2

Federico.

That's the thing though, one site has only 1 policy with 86400 and is picking up the 28800.

But on that site with a single policy, do you see the policy like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 86400

Or like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

The difference is if the lifetime is hardcoded.

If this site has the first policy it should negotiate policy 2, but if it has the second policy it will go for policy 1.

Federico.

I tried to hardcode it on my end just to see, but it still shows up the same because it's default.

The remote site looks like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group  2

I think I was confused.

I believe that a policy if it matches the encryption, hash, authentication and D-H group, it will then negotiate the lowest lifetime.

I think now that is normal behavior what you're seeing.

Federico.

That's the way I understood it, but I'm just confused why some pick up 86400 ?

The other devices that pick up the default 86400 match the all the values for the first policy? (encryption, hash, authentication and D-H).

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: