Security Basics mailing list archives
Re: IKE and IPSec SA Lifetimes.
From: "ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>
Date: Wed, 13 Aug 2008 09:11:34 +0530
Alexandre, You are right in your understanding , IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1. Many vendor devices have their own default Phase 1 & 2 lifetimes.For example, PIX/ASA have different default phase 2 lifetime than Cisco Routers.These values can be changed. Possible issues/suggestions: 1) There can be ' SA Life time mismatch ' between the two peers( It can be debated that if both devices donot have same lifetime , the tunnel won't come up. However, my experience suggests that many times tunnels do come up for strange reasons ). So,please confirm both the phase 1 & 2 life times match with the peers.This has to be standardized with your 50 sites ! 2) Configure keep alive between the two devices. This will make sure that the tunnel is up in case the peers are timing out unexpectedly. Hope this helps.Let me know if any questions. Thanks, Aditya Govind Mukadam On Tue, Aug 12, 2008 at 2:34 PM, Alexandre Verriere <alexandre.verriere () gmail com> wrote:
HI all ! We are working with VPNs between Zyxel routers and we have a strange issue. VPN dies and there are IKE retransmit messages send until limit is reached. BTW I'm not the person who Configure the routers and I noticed that IKE ans IPsec SA are set with the same time value as 86400. My question is: Usualy IKE SA lifetime are greater than IPSec SA lifetimes, and are theses settings responsible of the troubles we have? Since we are in production environnement, I ask this question cause we have 50+ VPNS and I'm struggling to find where's the catch. If anyone can help… Thanks in advance. Alexandre Verriere.
Current thread:
- TR: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 12)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)
- Message not available
- RE: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 13)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)
- Message not available
- Re: IKE and IPSec SA Lifetimes. Vibhore (Aug 18)
- RE: IKE and IPSec SA Lifetimes. Alexandre Verriere (Aug 18)
- Re: IKE and IPSec SA Lifetimes. ॐ aditya mukadam ॐ (Aug 13)