Solved: Cisco ASA ASA5545 Site2site IPSEC Lifetime Phase 1 and Phase 2

chris-doro · ‎05-23-2024

I've setup a VPN site2site-tunnel with the ASDM wizard.
But I'm still not sure aboute some parameters.
In almost every Site2site tunnel I've configured I had the option for 2 timers: Phase 1 (which is usually the longer) and Phase2.
But on the ASA there is only one parameter.
I need phase 1 28800 seconds and phase 2 3600 seconds.
But which one is now the set security-association lifetime seconds 28800?
And where is the other?
I do not see it in GUI nor in CLI.
Any suggestions?
Thanks.

MHM Cisco World · ‎05-23-2024

Set security-association lifetime seconds 28800 <- this for phaseII

Under crypto ike1 policy

Add lifetime <- this for phaseI

MHM

View solution in original post

MHM Cisco World · ‎05-23-2024

Set security-association lifetime seconds 28800 <- this for phaseII

Under crypto ike1 policy

Add lifetime <- this for phaseI

MHM

MHM Cisco World · ‎05-23-2024

how you can config the lifetime and how you can check it

chris-doro · ‎06-23-2025

Well, I still have no idea, which crypto ikev2 policy is now used for which site2site-tunnel?
I have a few of them with different lifetimes, but I do not see the association between the policies and the tunnels.
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 20
prf sha256
lifetime seconds 28800
crypto ikev2 policy 4
encryption aes-gcm-256
integrity null
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 5
encryption aes-gcm-256
integrity null
group 24
prf sha512
lifetime seconds 86400

MHM Cisco World · ‎06-23-2025

show crypto ikev2 sa <<- this give you detail of policy not it name' from these details you can know which policy is select by ikev2

MHM