From: Jensen, Brian D. (bdjensen@eschelon.com)
Date: Sat Jan 24 2004 - 04:14:34 GMT-3
Hi,
There are several things that take place when SA's are established. First,
the ISAKMP parameteres are established. Once that has taken place, the SA's
are built. The ISAKMP lifetime is for the ISAKMP parameters. If the ISAKMP
lifetime is shorter than the SA lifetime in the cryptomaps , then the ISAKMP
lifetime will cause the cryptomap SA's to get rebuilt. SA lifetimes do not
override the ISAKMP liftetime settings.
There is a global cryptomap SA lifetime setting which will apply to all
cryptomap SA's if no SA lifetime is configured on a per crypto map basis.
This is not to be confused with ISAKMP policy lifetime settings. Think of
these as a basic foundation; if changed, they will change everything above
them (including SA's). If your ISAKMP settings change or become invalid,
they will invalidate all SA's that reside above them, and cause them to get
re-negotiated.
HTH,
Brian
> -----Original Message-----
> From: Todd Veillette [SMTP:tveillette@myeastern.com]
> Sent: Friday, January 23, 2004 6:01 PM
> To: David Hiers; Ellie Chou; ccielab@groupstudy.com
> Subject: Re: IPsec-what's the difference between these two timer?
>
> The isakmp is for re-negotiation of your s-key's.
>
> -TV
>
> ----- Original Message -----
> From: "David Hiers" <David_Hiers@adp.com>
> To: "Ellie Chou" <ellie_chou@hotmail.com>; <ccielab@groupstudy.com>
> Sent: Friday, January 23, 2004 9:56 AM
> Subject: RE: IPsec-what's the difference between these two timer?
>
>
> > I believe that "set security-association" is a per-crypto-map override
> of
> the global "lifetime" command.
> >
> > From the doc cd:
> >
> > "To override (for a particular crypto map entry) the global lifetime
> value, which is used when negotiating IP Security security associations,
> use
> the set security-association lifetime command in crypto map configuration
> mode."
> >
> > David
> >
> >
> > ********************************************
> > David Hiers
> > CCIE, CISSP
> > ADP Dealer Services
> > 2525 SW First Avenue
> > Portland, OR 97201
> >
> > v: 503 402 3703
> > email: david_hiers@adp.com
> > ********************************************
> >
> >
> > -----Original Message-----
> > From: Ellie Chou [mailto:ellie_chou@hotmail.com]
> > Sent: Thursday, January 22, 2004 8:45 PM
> > To: ccielab@groupstudy.com
> > Subject: IPsec-what's the difference between these two timer?
> >
> >
> > Hi, Can someone tell me what's the difference between the " set
> > security-association lifetime seconds 1800" under crypto map config and
> > the " lifetime 1800" under crypto isakmp policy config? thanks! I know
> > the the first one is the lifetime of a security association but not sure
> > what the 2nd is for and if they have any corelation. thanks Ellie
> >
> > ------------------------------------------------------------------------
> >
> > Let the new MSN Premium Internet Software make the most of your
> > high-speed experience.
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:49 GMT-3