Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3859
Views
0
Helpful
1
Replies

VPNs Phase 1 Keylife vs Phase 2 keylife

Go to solution
Ccryshna1
Level 1
Level 1

‎05-21-2014 11:55 PM

why VPNs' phase1 keylife must be greater than the phase 2 keylife and what will happen if phase2 keylife is greater than the phase1 keylife?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Frank DeNofa
Cisco Employee
Cisco Employee

‎09-09-2014 04:17 PM

Ccryshna1,

 

As your Phase 1 (IKE) SA is used to secure a channel for control plane traffic, it must be established in order to establish or re-establish your Phase 2 SA. Therefore, if your Phase 1 lifetime is shorter than your Phase 2 lifetime, you must establish a new Phase 1 SA every time Phase 2 rekeys. If you are using Main Mode and Quick Mode, this is an extra six packet exchange which must occur at each Phase 2 rekey.

 

HTH,

Frank

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Frank DeNofa
Cisco Employee
Cisco Employee

‎09-09-2014 04:17 PM

Ccryshna1,

 

As your Phase 1 (IKE) SA is used to secure a channel for control plane traffic, it must be established in order to establish or re-establish your Phase 2 SA. Therefore, if your Phase 1 lifetime is shorter than your Phase 2 lifetime, you must establish a new Phase 1 SA every time Phase 2 rekeys. If you are using Main Mode and Quick Mode, this is an extra six packet exchange which must occur at each Phase 2 rekey.

 

HTH,

Frank

0 Helpful
Customers Also Viewed These Support Documents