Can't add lifetime to isakmp policy - router

rasoftware · ‎03-28-2006

I have a strange problem that I can't add a lifetime to the "crypto isakmp policy 2". When I try to add lifetime 86400 from CLI it doesn't retain the setting. If I add say 600 seconds it does. If I do lifetime ? 86400 is supported (24hr). It will also let me enter this from the SDM but the setting doesnt add it to the config. This is the ipsec relevant section of the config:

crypto isakmp policy 2

hash md5

authentication pre-share

group 2

--- trying to add lifetime here 86400

crypto isakmp key KEYHERE address 217.x.x.90

crypto isakmp key KEYHERE address 195.x.x.90

crypto isakmp key KEYHERE address 81.x.x.90

crypto isakmp keepalive 10 10 periodic

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set PIX esp-des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to217.196.250.90

set peer 217.196.250.90

set transform-set PIX

set pfs group2

match address 103

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to195.172.169.90

set peer 195.172.169.90

set peer 81.149.144.90

set transform-set PIX

match address 105

!

pkhatri · ‎03-28-2006

Hey Mate,

That's because the default lifetime is 86400 seconds... as you know, IOS in general does not display commands when you set them to the default value.

Hope that helps - pls rate the post if it does.

Paresh

b-ulrich · ‎03-30-2006

Hi, I thought the default lifetime is 3600 seconds.

pkhatri · ‎03-30-2006

Hi,

Here's a link to the command reference description for the command, where it states that the default lifetime is 86400 seconds:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fipsencr/srfike.htm#wp1018722

Paresh