topic Re: IPSec lifetime configuration - FDM in Network Security

IPSec lifetime configuration - FDM

ivan.kusturic — Fri, 21 Feb 2020 17:38:16 GMT

Hello everybody,

I'm trying to find out where to specify IKE Phase 2 Lifetime duration (IPSec lifetime)? Under objects, you can only define lifetime for IKE Policies - Phase 1.

Software version is 6.3 and configuration is being done via FDM. Appliance is FirePower 2110.

Thanks.

Re: IPSec lifetime configuration - FDM

Marvin Rhoads — Mon, 28 Oct 2019 14:24:57 GMT

Unfortunately the necessary command is not supported in FDM - even when using Flexconfig.

Reference:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo91921/?rfs=iqvred

The BugID says it affects through 6.4. I just verified that even my 6.5 FTD device (managed by FDM) continues to blacklist the command.

Re: IPSec lifetime configuration - FDM

ivan.kusturic — Mon, 28 Oct 2019 14:45:03 GMT

Hello Marvin,

Thank you for the reply. Is there any way to configure this? And what is the default value used by FirePower for lifetime in Phase 2?

Btw, I'm really surprised with this information. IPsec lifetime is one of the basic configuration parameters for IKE protocol.

Re: IPSec lifetime configuration - FDM

Marvin Rhoads — Mon, 28 Oct 2019 14:48:59 GMT

It can be configured if you switch to FMC management. However you cannot configure it via FXOS or Lina CLI.

You're right it's a pretty basic setting. I keep pushing Cisco on achieving feature parity for basic things like this between ASA and FTD - no matter what management platform is used.

No excuse, but by way of explanation I'm told it's an architectural issue since FMD (and CDO) only support settings for which there is an API while FMC interacts with the Lina and clish running-configs directly. Cisco continues to enhance the API with every new release but it's still not where it needs to be.

Re: IPSec lifetime configuration - FDM

ivan.kusturic — Mon, 28 Oct 2019 19:23:13 GMT

Marvin, thank you very much for the answer and explanation.

Regards,

Ivan