On the ASAs (8.x) when i creare a crypto map it automagically adds:
set security-association lifetime kilobytes 4608000
I have been able to change the number of kilobytes but have not been able to remove this setting entirely for tunnels where we do not want to have a lifetime based on kilobytes but rather only on time.
How do I remove this?
I don't have the same problem you are.
no crypt map
It may not let you do this while the tunnel is established though.
I tried that...it didnt go anywhere. That is actually what they list in the documentation as a way to remove this setting...doesnt seem to work though.
I was able to reproduce it.
no ipsec security-association lifetime kilo
It sets a default, and it should remove it from your crypto map.
I removed my crypto map and recreated another one:
I had two lifetime settings in my crypto map after setting it, but I was able to remove the one that wasn't the default.
So if you set your lifetime to seconds, you should be able to remove you kb one with "no crypt map
interesting, was this in 8.x? I will have to try that.
Maybe my lifetime in seconds was still at the default setting when i was trying to remove the kb one...
When I run the ipsec security.... it automatically adds it to my existing crypto maps. I still couldn't remove it from the crypto map with "no crypto...", but I could remove it with "no ipsec security...."
And I'm running 8.0(3) on mine.
I do not believe that there is an option to remove the kilobits lifetime. You can set it to a very high value (2147483647 K on my ASA) to reduce the chance that it will be exceeded. But I do not believe that you can remove it.
It is a basic part of the specification of IPSec. The thought behind it is similar to the thought behind the time based lifetime: the longer the Security Association uses the same keys (or the more data is transmitted using the same keys) the better chance some intruder has of breaking the keys. Why would you want to remove this protection.
I am pretty sure 6.x did not have this enabled by default and as far as I know there were no security compromises as a result. I think setting either the time or the KB is sufficient security.
I just built a tunnel with someone and they had a preference to not use the KB lifetime and only use the time lifetime. I had no problem with this since i think the KB lifetime is not necessary but I was unable to meet their requested settings and had to make them add a KB lifetime.
Also worth noting the KB lifetime set by default is greater than the maximum KB lifetime on checkpoint firewalls...so if you are building a VPN to a CP you have to change this setting....
Generally speaking I would rather not have something set if I dont know why it is needed and if its value was arbitrarily chosen....just one more thing to cause problems.
Oh, and to change your default, you can type:
ipsec security-association lifetime seconds
no ipsec security-association lifetime kilobytes
That should remove it from your crypto map and then you can specify in your map what you want.
Let me know, I'm curious =)
You and John are discussing whether you can get the statement to not show up in the config file. Given the Cisco practice that default values generally do not show up in the running config, making it not show in the running config is not necessarily the same as not having it active.
I have never done a show crypto map that there was not a crypto lifetime in kilobytes. I do not believe that Cisco gives you the option to disable lifetime in kilobytes.
Old thread but was having this same question and found that you can set the lifetime to unlimited.
set security-association lifetime kilobytes unlimited
configure mode commands/options:
<10-2147483647> Security association duration in kilobytes
unlimited Disable data rekey