Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
6
Helpful
4
Replies

IPSec lifetimes

Go to solution
JohnTylerPearce
Level 7
Level 7

‎01-22-2013 05:23 PM - edited ‎02-21-2020 06:38 PM

I have a customer, who needs to configure a site-to-site vpn with Microsoft Azure. They currently have several site-to-site vpns configured, and according to MS, they have their own IPSec lifetimes, which is different from all of our other VPNs. I really don't want to have to setup a lot of downtime for a customer just for one site-to-site vpn. Is there a way to configure IPSec lifetime parameters for a specific site-to-site VPN, instead of globally.                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 05:46 PM

Hi,

For ASA the command format could for example be

ASA(config)# crypto map CRYPTO 1 set security-association lifetime ?

configure mode commands/options:

  kilobytes  Security association duration in kilobytes

  seconds    Security association duration in seconds

It would naturally contain also other lines such as

crypto map CRYPTO 1 set peer x.x.x.x

crypto map CRYPTO 1 match address

crypto map CRYPTO 1 set ikev1 transform-set

The "ikev1" parameter came with the new 8.3 and newer software levels as there is now also "ikev2".

The global values to my understanding are configured with the below configuration

ASA(config)# crypto ipsec security-association lifetime ?

configure mode commands/options:

  kilobytes  Lifetime kilobytes

  seconds    Lifetime seconds

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 05:46 PM

Hi,

For ASA the command format could for example be

ASA(config)# crypto map CRYPTO 1 set security-association lifetime ?

configure mode commands/options:

  kilobytes  Security association duration in kilobytes

  seconds    Security association duration in seconds

It would naturally contain also other lines such as

crypto map CRYPTO 1 set peer x.x.x.x

crypto map CRYPTO 1 match address

crypto map CRYPTO 1 set ikev1 transform-set

The "ikev1" parameter came with the new 8.3 and newer software levels as there is now also "ikev2".

The global values to my understanding are configured with the below configuration

ASA(config)# crypto ipsec security-association lifetime ?

configure mode commands/options:

  kilobytes  Lifetime kilobytes

  seconds    Lifetime seconds

- Jouni

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Jouni Forss

‎01-22-2013 06:08 PM

Thanks for the quick and educational response. Correct me if I'm wrong, but you can only enable one crypto map per interface right?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎01-22-2013 06:37 PM

Hi,

Below is a quote from ASA command reference

Usage Guidelines
crypto map interface
Use this command to assign a crypto map set to any active adaptive security appliance interface. The
adaptive security appliance supports IPSec termination on any and all active interfaces. You must assign
a crypto map set to an interface before that interface can provide IPSec services.
You can assign only one crypto map set to an interface. If multiple crypto map entries have the same
map-name but a different seq-num, they are part of the same set and are all applied to the interface. The
adaptive security appliance evaluates the crypto map entry with the lowest seq-num first.

So seems to be that only one crypto map per interface

- Jouni

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎01-22-2013 10:54 PM

You only have one crypto map per interface, but this one crypto map can contain many sequence-numbers each with a crypto-definition (acl, transform, peer, lifetime ...).


Sent from Cisco Technical Support iPad App

Customers Also Viewed These Support Documents