Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
4
Replies

Lifetime VPN

csco11579831
Level 1
Level 1

‎10-08-2013 02:48 AM

Hello,

Can you please tell me is that this is normal, when I put the value lifetime on crypto policy to 86400 (24 hours), but when I show the detail

I have only 2 hours:

SDSL-RTR # sh cry session detail

Crypto session current status

Code: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal X - IKE Extended Authentication

Interface FastEthernet0 / 0

Session status: UP-ACTIVE

Peer: X.X.X.X port 500 fvrf: (none) ivrf: (none)

       Phase1_id: X.X.X.X

       Desc: (none)

   IKE SA: local YYYY/500 remote XXXX/500 Active

           Capabilities: (none) connid: 134217735 lifetime: 1:59:31 (2 hours)

Best regards,

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎10-08-2013 05:02 AM

Hi,

I guess this might depend if the device is actually using the Policy that you have modified the time for.

You should probably the all the Crypto ISAKMP Policys and check which one of them has the value of 2 hours

You connection might be using a ISAKMP Policy that is on higher priority than the one you are doing changes for

show crypto isakmp sa detail

Might also show something about the other parameters on the active connection

- Jouni

0 Helpful

csco11579831
Level 1
Level 1
In response to Jouni Forss

‎10-08-2013 06:33 AM

may be you are right

RTR-SDSL#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

9     X.X.X.X         Y.Y.Y.Y                       ACTIVE 3des md5  psk  2  00:38:52    

       Connection-id:Engine-id =  9:1(software)

=============================

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 46800

crypto isakmp key ********* address X.X.X.X

!

!

crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac

!

crypto map CryptoVPN 1 ipsec-isakmp

set peer X.X.X.X

set transform-set VPNSet

match address 110

!

!

!

!

interface FastEthernet0/0

ip address Y.Y.Y.Y 255.255.255.252

ip mtu 1400

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CryptoVPN

!

interface FastEthernet0/1

ip address Z.Z.Z.Z 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

0 Helpful

csco11579831
Level 1
Level 1

‎10-09-2013 02:09 AM

Can you please reply ?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to csco11579831

‎10-09-2013 02:31 AM

Hi,

I guess you should ask the remote end of this L2L VPN connection to also check their configuration with regards to the lifetime value.

Since yours is not defining that it would be 2h

- Jouni

0 Helpful
Customers Also Viewed These Support Documents