ipsec security association (SA) lifetime mismatch

swapnendum · ‎04-15-2007

Can somebody tell me wht happens when the IPSEC SA lifetime mismatch happens in a VPN tunnel ? i tried creating a mismatch on two cisco routers but it worked without any problem. just wanted to confirm tht if theoritically it inflicts the IPSEC traffic in anyway ?

negotation happen when the lower lifetime expires , is it the case ?

i read tht the tunnel wont come up at all when there is a IPSEC mismatch but tht wasn't the case..

thanks

danail-petrov · ‎04-17-2007

I believe that IKE/ISAKMP will negotiate the smallest lifetime value (seconds/bytes). U can easy check it by `show crypto isakmp sa detail` to see the lifetime value. Just execute `clear crypto isakmp` to ensure creating of fresh SA's .

Kind Regards,

Danail Petrov

Kamal Malhotra · ‎04-17-2007

Hi,

This is how it goes, when there are 2 routers with different IPSEC SA lifetimes, then the tunnel would only come up if it is initiated from the end with higher lifetime configured. If you initiate the tunnel from the lower lifetime end, it should not come up. When the end with higher lifetime initiates the tunnel it is capable of setting its own lifetime to what is configured on the other end but not vice versa.

Once the tunnel is up as per the lower lifetime, when it renegotites, ideally it should not be successful. The reason is the IPSEC SA would still exist on the end with higer lifetime whereas the SAs are expired on the other end so you should see errors in the debugs.

This is the reason having the same lifetime is recommended.

HTH,

Please rate if it helps.

Regards,

Kamal

swapnendum · ‎04-17-2007

Ok. Did a thorough testing on the lifetimes.

It doesn't matter from which end we initiate the traffic, both ends always negotiate the lower lifetime automatically. This applies for both IPSEC and ISAKMP lifetimes.

Did the testing on ver 12.3 (22).

Theoritically what Kamal says is correct but somehow it doesnt happen that way practically, strange.

Thanks everybody.