[c-nsp] Cisco - Netscreen VPN
Ryan O'Connell
ryan at complicity.co.uk
Thu Oct 13 12:25:38 EDT 2005
On 13/10/2005 15:21, info at beprojects.com wrote:
>I think you have mismatched lifetimes on the proposals. Cisco's default
>lifetimes are 86400 for ISAKMP and 28800 for IPSec. I believe NS's
>defaults are 28800 for ISAKMP and 3600 for IPSec. If you change the
>Cisco lifetimes to match the NS, you will probably have better luck.
>
>Here is the ISAKMP stuff:
>crypto isakmp policy 10
>lifetime 28800
>
>I don't recall how to set the IPSec lifetime in IOS, but I believe it is
>under "crypto ipsec profile XX1". Probably something like "set lifetime
>...".
>
>
The default on 12.4 seems to be 3600s:
rt#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/3600 seconds
rt#show config | inc lifetime
rt#
(The command to change the default IPSec lifetime is "crypto ipsec
security-association lifetime seconds <number>")
I've changed the ISAKMP default to see if that helps, but it's the IPSec
SA that's not renegotiating properly rather than the ISAKMP one.
More information about the cisco-nsp
mailing list