ISAKMP and IPsec lifetimes

I would like to sum up important issue regarding ISAKMP and IPsec lifetimes.

ISAKMP life is always set based on the Initiator ISAKMP lifetime even if its higher then ISAKMP lifetime of the responder.

IPsec lifetime is always set to the lowest value of the IPsec peer.

IKE Phase -1 life time should be greater than IKE Phase-2 life time .

86400 sec (1 day) is a common default value for Phase 1 and 3600 (1 hour) is a common value for Phase 2.

A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying.

Trackback

no comment untill now

Add your comment now

You must be logged in to post a comment.