Solved: Re: Question about IPSec SA lifetime

banlan.chen · ‎08-25-2003

Hi All,

I am confused about the lifetime. From some book, they said you should keep two peer's lifetime at exact same, otherwise you can't establish the tunnel. But I saw another book said you can use different lifetime (time interval and/or byte count), two peers will choose the lower one.

Please help me out. Thanks in advance.

Banlan

gfullage · ‎08-25-2003

There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).

With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.

With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.

View solution in original post

gfullage · ‎08-25-2003

There's two lifetimes involved with IPSec connections, Phase 1 (ISAKMP) and Phase 2 (IPSec).

With the Phase 1 tunnel, if the initiator has a higher lifetime than than the responder, the responder will not accept the connection, so it's definately best to keep your Phase 1 lifetimes the same.

With Phase 2, the lifetime will be negotiated to the lower of the two values regardless of who intiates, so this one doesn't matter. Still good practice to keep lifetimes the same since you can run into negotiation issues with different vendors devices.