Re: vpn -- SA lifetime

From: V Shekhar (vshekhar25@yahoo.com)
Date: Sun Nov 12 2006 - 13:31:38 ART

• Next message: Richard Dumoulin: "RE : RE : vpn -- SA lifetime"
• Previous message: Brian Dennis: "RE: BGP path selection criteria"
• Maybe in reply to: Tim: "vpn -- SA lifetime"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My original post is for a IPSEC L2L tunnel scenario using crypto maps. Have not tested with a dynamic maps.
Hope that clarifies better.
-sHekHar.

----- Original Message ----
From: Tim <ccie2be@nyc.rr.com>
To: V Shekhar <vshekhar25@yahoo.com>; ecurity@groupstudy.com; ccielab@groupstudy.com
Sent: Sunday, November 12, 2006 8:14:32 PM
Subject: RE: vpn -- SA lifetime

Hey V Shekhar,

Thanks very much. I appreciate your help.

That's exactly what I was seeking to understand.

Tim

-----Original Message-----
From: V Shekhar [mailto:vshekhar25@yahoo.com]
Sent: Sunday, November 12, 2006 9:38 AM
To: Tim; ecurity@groupstudy.com; ccielab@groupstudy.com
Subject: Re: vpn -- SA lifetime

Dosen't matter, which one is shorter.
IKE lifetime which impacts IKE SA, does not impact IPSEC SA life time in
anyway,

Case 1 : IKE SA ifetime < IPSEC SA Lifetime.
IKE SA will get deleted and IPSEC traffic keeps flowing, till IPSEC SA
expiry, just before IPSEC SA renegiotation IKE handshake heppends again.

Case 2 : IKE SA lifetime > IPSEC SA lifetime.
IPSEC SA renegiotates many times before IKE SA expires,

Case 2 is less taxing on CPU, but comparatively less secure.
Depends on how paranoid are you.

HTH,
-sHekHar.

----- Original Message ----
From: Tim <ccie2be@nyc.rr.com>
To: security@groupstudy.com; ccielab@groupstudy.com
Sent: Sunday, November 12, 2006 6:27:08 PM
Subject: vpn -- SA lifetime

Hi guys,

Lifetimes, for both the mgmt SA (ISAKMP) and the data SA's (IPSec), can be
configured independently.

That being the case, does it matter what the values are relative to one
another?

IOW, should the lifetime for the mgmt SA be equal to, smaller than or larger
than the data lifetime?

Is there a "Best Practice" when it comes to selecting these values?

I know the lifetime parameter can be left at its default value but I'd like
to know if one value is changed, should the other value also be changed and
how to think about this issue.

Thanks very much for any feedback on this.

Tim

• Next message: Richard Dumoulin: "RE : RE : vpn -- SA lifetime"
• Previous message: Brian Dennis: "RE: BGP path selection criteria"
• Maybe in reply to: Tim: "vpn -- SA lifetime"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART