problem with lifetime parameter on ipsec

amenash123 · ‎05-04-2006

hi

when i do show crypto session detail command i get this following massage:

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: 172.30.102.101/500 fvrf: (none) ivrf: (none)

Phase1_id: 172.30.102.101

Desc: (none)

IKE SA: local 172.30.102.102/500 remote 172.30.102.101/500 Active

Capabilities:D connid:84 lifetime:23:55:29

IPSEC FLOW: permit ip 172.30.102.100/255.255.255.252 172.30.102.100/255.255.25

5.252

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 16 drop 0 life (KB/Sec) 4477653/3329

Outbound: #pkts enc'ed 16 drop 4 life (KB/Sec) 4477653/3329

That mean i have a lifetime with as appear in the example : 23:55:29, and after that time the the ipsec is getting down.

how can i disable this life time,that the ipsec(crypto)work allways.

thanks.

jsteffensen · ‎05-04-2006

Hi

The IPSEC SA lifetime is a fixed configured parameter that cannot be left out. If you have configured IPSEC correct, and you always have interresting IPSEC traffic (traffic that matches your Crypto ACL) the SA will re-establish the tunnel automatically.

A smaller SA lifetime provides more security because this changes your "connection-keys" more often. But again shortes SA life time provides more overhead to manage the connection.

Be aware that you have 2 lifetime settings:

1 for IKE - Key exchange Phase 1

crypto isakmp policy xxx

lifetime

Default = 24 hours (i believe)

2 for the IPSEC tunnel itselves.

crypto map xxxxx

set security-association lifetime

Default = 1 hour (i believe)

Post your config, and we might help you find your problem.

Geetings

Jarle