09-20-2017 11:19 PM - edited 03-12-2019 04:33 AM
Hello all,
I've been struggling with the following...
I have got a Cisco 2800 router which has mulitple S2S VPN tunnels to various sites.
However, one VPN tunnel does not negotiate synchronous Phase 1 SA times.
On the other end (Check Point) a lifetime of 8 hours is set, while at my site an SA time of 24 hours is set.
I feel like there is some compatiblity issues action going on...
However, the only thing I want to know is whether it is possible to force an ISAKMP policy number to a specified VPN peer.
It seems like it is impossible, however, I find that hard to believe that it actually is impossible.
Does someone know how to do it?
PS: I don't want to change the desired ISAKMP policy to a higher priority, since it will have negative impact on the rest of VPN tunnels.
Thanks in advance.
09-20-2017 11:55 PM
The two ends should negotiate the smaller of those two settings.
I don't think you can forice IKEv1 to do this. You can do this using IKEv2 - but if the remote party supported IKEv2 you probably wouldn't have a problem.
09-20-2017 11:59 PM
Well we are using IKEv1 for all the tunnels.
Regarding the time negotiation, I also think the smaller one should be chosen.
That is why I think there is some compatiblity issues going on.
In some cases it does spontaneously negotiate 8 hours, but most of the time it doesn't.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: