Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4310
Views
5
Helpful
2
Replies

isakmp lifetime ???

birukgetachew
Level 1
Level 1

‎09-06-2012 01:30 AM

Hi guys, I am trying to understand how vpn works and I came accross with this question.

If we select preshared keys for authentication during the isakmp phase 1 and set the lifetime to 24 hours, then what is going to happen after 24 hours and the key lifetime expires? Do we have to manually go to each router and change the keys?

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎09-06-2012 01:38 AM

No, the lifetime is not for you PSK. It's for the Phase-1 security-association. This association can be rebuild again when needed by the router.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Karsten Iwen

‎09-06-2012 06:45 AM

Hi Biruk,

By default the Router is supposed to re-key Phase I every 86400 seconds (24 hours), but this does not mean that the PSK is going to change.

Please check this out:

lifetime (IKE policy)

Usage Guidelines

Use this command to specify how long an IKE SA exists before expiring.

When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.

So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.

Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-DF77C04E-484D-4A53-82EF-7909AED20CDA

Keep me posted.

Portu.

Please rate any post you find useful.

Customers Also Viewed These Support Documents