configuring rekey interval

alonciscoadv · ‎08-18-2011

Hi,

I've configured the re-xauth feature on the group-policy of ASA 8.2(4).

My target is to make users to reauthenticate every 10 minutes, the problem is I can't find any place I can change the IKE rekey interval to 10 min - I think the default is one hour - 3600 sec

Anyone knows where can I change it?

Jennifer Halim · ‎08-18-2011

Here is the command to change it:

crypto isakmp policy lifetime <seconds>

You would need to change it to all the policy depending on which IKE policy the vpn client is matching on.

alonciscoadv · ‎08-18-2011

I did try this one but it didn't change the IKE rekey interval it changed the IPsecOverNat T rekey interval and this interval does not trigger the re-xauth feature.

Jennifer Halim · ‎08-19-2011

You would need to change both the "crypto isakmp" and "crypto map" rekey time because IKE is phase 1 that actually builds IPSEC (phase 2).

But, do you really want to trigger rekey every 10 minutes? That would not only annoy the users but it will put a lot of load on the ASA, depending on how many tunnels are built. If you have lots of tunnels, the ASA will just be busy doing rekey every 10 minutes, and randomly depending on when the users connect.

alonciscoadv · ‎08-20-2011

The default rekey time is 3600 sec' I've waited to see what will happened when the rekey trigger the re-xauth and it just disconnected the session without prompting for user/pass. Since it is just like session terminate feature I gave up using the re-xauth feature.

As for your question, the reason for this is because I don't completely trust the users and this is a temporary access...