Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPNs Phase 1 Keylife vs Phase 2 keylife

why VPNs' phase1 keylife must be greater than the phase 2 keylife and what will happen if phase2 keylife is greater than the phase1 keylife?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Ccryshna1, As your Phase 1

Ccryshna1,

 

As your Phase 1 (IKE) SA is used to secure a channel for control plane traffic, it must be established in order to establish or re-establish your Phase 2 SA. Therefore, if your Phase 1 lifetime is shorter than your Phase 2 lifetime, you must establish a new Phase 1 SA every time Phase 2 rekeys. If you are using Main Mode and Quick Mode, this is an extra six packet exchange which must occur at each Phase 2 rekey.

 

HTH,

Frank

1 REPLY
Cisco Employee

Ccryshna1, As your Phase 1

Ccryshna1,

 

As your Phase 1 (IKE) SA is used to secure a channel for control plane traffic, it must be established in order to establish or re-establish your Phase 2 SA. Therefore, if your Phase 1 lifetime is shorter than your Phase 2 lifetime, you must establish a new Phase 1 SA every time Phase 2 rekeys. If you are using Main Mode and Quick Mode, this is an extra six packet exchange which must occur at each Phase 2 rekey.

 

HTH,

Frank

607
Views
0
Helpful
1
Replies