The default IKE (Phase1) SA lifetime value is 86,400 seconds (24 hours). This value can be changed with the command crypto isakmp policy 10 lifetime 50400. Note: 10 is merely a policy number.
Meanwhile, the default IPSEC (Phase 2) SA lifetime value is 28,800 seconds (8 hours) or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is
crypto ipsec-security association lifetime seconds 240.
For further details on this, you could refer to this Cisco URL http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
P/S: if you think this comment is helpful, please do rate them nicely :-)
Thanks for your reply.
But I wanted to know about the keepalive timeout rather than lifetime.
What I understand is that the lifetime is a period a VPN gateway rekey just before the time expires.
I am interested to know if there is no traffic flow inside the tunnel for quite a long time but the lifetime still valid for that peer, what will happen? Will the tunnel go down?
Yes, you’re correct. Lifetime is a period when a VPN gateway rekeys just before the time expires. During the typical life of the IKE Security Association (SA), packets are only exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the IPSec SAs. The default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. Hence, if there’s no interesting network traffic that flows through the VPN tunnel for quite a while but the lifetime period is still valid, the VPN tunnel would not go down.
However, there is no standards-based mechanism for either types of SA to detect the loss of a VPN peer, except when the QM negotiation fails. Therefore, by implementing a keepalive feature over the IKE SA, Cisco has provided a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.
P/S: If you think this comment is useful, please do rate them nicely :-)