Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1678
Views
0
Helpful
8
Replies

VPN Lifetimes and the effects

Go to solution
Marco Serato
Level 1
Level 1

‎10-20-2022 08:33 AM

Hello

The following question is just for understanding.

Does a VPN tunnel collapse or abort briefly when the IKE Liftetime has expired?

With IPSEC SA, the lifetimes are required for rekeying- Is that correct?

Thanks Martin

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎10-20-2022 08:39 AM

Does a VPN tunnel collapse or abort briefly when the IKE Liftetime has expired? no because both side choose one lifetime. 

With IPSEC SA, the lifetimes are required for rekeying- Is that correct? Yes when IPSec SA lifetime is end the both peer start exchange phase2 rekey for new key.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-20-2022 08:57 AM

@Marco Serato no the VPN tunnel does not collapse when the IKE SA lifetime expires. Dataplane traffic over the VPN uses the IPSec SA not the IKE SA.

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎10-20-2022 08:39 AM

Does a VPN tunnel collapse or abort briefly when the IKE Liftetime has expired? no because both side choose one lifetime. 

With IPSEC SA, the lifetimes are required for rekeying- Is that correct? Yes when IPSec SA lifetime is end the both peer start exchange phase2 rekey for new key.

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1
In response to MHM Cisco World

‎10-20-2022 08:56 AM

After the IKE Lifetime has expired, is there only one rekeying or is there more to it?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Marco Serato

‎10-20-2022 09:06 AM

Depending if you config per-host 

Then for each host in acl subnet there rekey

If not then only one rekey.

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1
In response to MHM Cisco World

‎10-20-2022 12:45 PM

Is the rekeying not based on the Diffie Hellman algo?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-20-2022 08:57 AM

@Marco Serato no the VPN tunnel does not collapse when the IKE SA lifetime expires. Dataplane traffic over the VPN uses the IPSec SA not the IKE SA.

 

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1

‎10-20-2022 12:45 PM

Many thanks for the answers.

In IKEv2 the IKE lifetime must be the same, but the SA lifetime can be different. Am I correct?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Marco Serato

‎10-20-2022 12:51 PM

@Marco Serato no, with IKEV2 the configured lifetimes do not need to be identical. If the two peers have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-21-2022 02:03 AM

https://networkengineering.stackexchange.com/questions/6622/getting-cisco-isakmp-and-ipsec-sa-lifetime-confused

I think you confuse about the two lifetime in IPsec, check link above for more info

0 Helpful
Customers Also Viewed These Support Documents