Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Terminating an IPSec tunnel,

Hi every1, if i want to terminate an IPsec session forcefully after a specified amount of time like 5 hours what command do i need? i am using simple site to site vpn between 2 sites, i want the ipsec tunnel to be terminated so that the counters in show crypto ipsec sa equals to zero..

Thanks

7 REPLIES

Re: Terminating an IPSec tunnel,

you can use clear crypto sa counters

Quote !!

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

more command deatails and explanation here

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfipsec.html#wp1017393

Rgds

Jorge

New Member

Re: Terminating an IPSec tunnel,

Sorry i forgot to mention AUTOMATICALLY, i want to ipsec tunnel ( phase 2 ) to be terminated automatically after very 5 hours.

Thanks

New Member

Re: Terminating an IPSec tunnel,

Hi,

Depending on your version of IOS, you can script commands using kron.

Cheers

Gold

Re: Terminating an IPSec tunnel,

or set your ipsec lifetimes for five hours (18000seconds)...i don't know if this resets counters or not though.

New Member

Re: Terminating an IPSec tunnel,

hi srue, are you sure that ipsec lifetimes terminate the tunnel ?? coz i heard that it just re-authenticates the tunnel !! so kindly confirm me that it terminates the tunnel.

Thanks

New Member

Re: Terminating an IPSec tunnel,

There are 2 lifetimes though, for phase 1 and 2. They will terminate the tunnel but any interesting traffic will bring it up again of course.

Gold

Re: Terminating an IPSec tunnel,

How These Lifetimes Work

Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

The security association (and corresponding keys) will expire according to whichever comes sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes is passed (specified by the kilobytes keyword). Security associations that are established manually (via a crypto map entry marked as ipsec-manual) have an infinite lifetime.

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever comes first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

http://cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/scfipsec.htm

125
Views
0
Helpful
7
Replies