08-25-2003 09:51 AM - edited 02-21-2020 12:44 PM
Hi All,
I am confused about the lifetime. From some book, they said you should keep two peer's lifetime at exact same, otherwise you can't establish the tunnel. But I saw another book said you can use different lifetime (time interval and/or byte count), two peers will choose the lower one.
Please help me out. Thanks in advance.
Banlan
Solved! Go to Solution.
08-25-2003 07:14 PM
There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).
With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.
With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.
08-25-2003 07:14 PM
There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).
With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.
With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide