cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5996
Views
15
Helpful
11
Replies

IPSec SA lifetime kilobyte disabled

SridharD
Beginner
Beginner

Hello All,

 

During a recent troubleshooting in my client network environment, I was checking a IPSEC VTI tunnel from Cisco router to PaloAlto device ( Not aware of model ) which is flapping. As checked, SA lifetime kilobytes is disable in PaloAlto firewall end so I have disabled the same in router end ( as it is recommended to have matching parameters in both end ) for that particular ipsec profile. But even after that I could see that IPSEC is still rekeying with both Data lifetime and Time lifetime as per the output from sh crypto ipsec sa.

 

And show crypto map gives below output: ( Output is filtered )

 

Crypto Map: "CRYPTOMAP" IKEv2 profile: IKEV2-PROFILE

 

Crypto Map IPv4 "CRYPTOMAP" 65536 ipsec-isakmp
...
Kilobyte Volume Rekey has been disabled.
Security association lifetime:28800 seconds
...

Crypto Map IPv4 "CRYPTOMAP" 65537 ipsec-isakmp
...
Security association lifetime: 4608000 kilobytes/28800 seconds

...
Always create SAs
Interfaces using crypto map CRYPTOMAP:
Tunnel1

 

Is disabling the lifetime kilobytes in IPSec profile is enough or am I missing any config here ? What does 65536 & 65537 in crypto map indicates?

 

// Thanks in Advance.

11 Replies 11

crypto ipsec security-association lifetime kilobytes The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key. Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.

Te lifetime values are ignored for manually established security associations

 

65536 & 65537 in crypto map are the crypto-map number which are dynamically assigned by the Router.

 

 

 

 

please do not forget to rate.

Hello Sheraz,

 

Thanks for your response.

 

I understand why we are using crypto ipsec security-association lifetime kilobytes. In my customer network they only want the rekey to happen with lifetimes seconds.

 

So my question is even when I disabled the lifetime kilobytes in particular IPSec profile for that tunnel, it is still rekeying with both lifetime kilobyte and lifetime seconds value. Is there anything that I am missing from configuration end ?

 

Note: Lifetime kilobyte is not disable for default ipsec profile.

 

Thanks in Advance

IPSec SA has 2 lifetime values; time in seconds (default 28,800) and data/traffic volume in kilobytes (default 4,608,000). When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA. The SA expires after the first of these lifetimes is reached.

 

You may want to set lifetime values shorter, such as 4 hours, so that your data encryption keys are negotiated more often. It is useful in those scenarios where you are transferring very confidential and crucial data and you want to regenerate new keys often. You can also modify the IPSec SA volume lifetime in kilobytes so that it negotiates new keys when a specific amount of data has been encrypted by the current keys. if kilobytes disable then rekeying will happen on the life seconds 

 

 

please do not forget to rate.

Hello Sheraz,

 

Thanks again.

 

I have disabled the kilobytes so that rekeying may happen only with lifetime seconds. But as per below output logs, I could see rekeying is still happening with both kilobytes and seconds lifetime.

 

LOG:

 

CISCO1121#sh crypto session detail

Crypto session current status

 

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

R - IKE Auto Reconnect, U - IKE Dynamic Route Update

S - SIP VPN

 

Interface: Tunnel1

Profile: IKEV2-PROFILE

Uptime: 05:38:05

Session status: UP-ACTIVE

Peer: x.x.x.x port 500 fvrf: VRFNAME ivrf: (none)

      Phase1_id: x.x.x.x

      Desc: (none)

  Session ID: 5

  IKEv2 SA: local y.y.y.y/500 remote x.x.x.x/500 Active

          Capabilities:D connid:4 lifetime:02:21:55

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 920628103 drop 1385 life (KB/Sec) 3121412/7 hours, 55 mins

        Outbound: #pkts enc'ed 549915202 drop 0 life (KB/Sec) 3851866/7 hours, 55 mins

 

// Thanks in Advance

 

I think you must disable it under IPSec profile not under the global.

Hello MHM Cisco World,

 

Thanks for your response.

 

I have configured "set security-association lifetime kilobytes disable" under the IPSec profile only. Not under Global. Lifetime kilobyte value is default under global.

 

// Thanks in Advance.

workaround config  

set security-association lifetime seconds default

Hello MHM Cisco World,

 

Thanks for the response.

 

We are using 8 hours as lifetime seconds value instead of default. So in this case I have to configure seconds manually again to 8 hours for this config to take effect as workaround ?

 

Current config: set security-association lifetime seconds 28800

 

Thanks in advance

This should work I think.

please do not forget to rate.

this workaround, try and see it will change the lifetime.
also I found interest statement from Cisco 
""On Cisco ASR 1000 Series Aggregation Services Routers, the values specified for this command in the global configuration mode might not be overridden by the values specified for this command under the IPsec profile configuration mode, unless the shut and no shut commands are specified for the values under IPsec profile. If the values are not specified under IPsec profile, then global values are applied.""

any update friend ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: