Firewall Wizards mailing list archives

PIX to PIX IPSEC VPN IKE Phase 2 problem

From: Mikael Velschow-Rasmussen <mvr () nworks dk>
Date: Thu, 9 Feb 2006 16:36:59 +0100

Hi !

Just my 2 cents :-)

IKE phase 1 (ISAKMP) is using a default lifetime of 86400 seconds. (3600 
in the scenario)
IKE phase 2 (IPSec) is using 28800 seconds default. (and the scenario is 
using the default ....
.... the default for PIX ver. 6.3 anyhow)

I wonder if you can have the IKE control channel (IKE SA) torn down before 
the 2 unidirectional data channels (the IPSec SA's). Try to set the 
lifetime lower on the PIX'es. e.g. :
Branch PIX 501
crypto map VPN 100 set security-association lifetime seconds 1800

Regards
Mikael Velschow-Rasmussen
M.Sc.e.e., SANS GCFW #0565
CCIE #9973, CCSI #22493, HP MASE
mvr () nworks dk

Nworks A/S - http://www.nworks.dk
København: Ellekær 8, DK-2730 Herlev
Århus: Søren Frichs Vej 38 K, 1. DK-8230 Åbyhøj
Tlf: +45 4485 5000 Fax: +45 4485 5001

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
  - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
    - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
  - Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)