Home > Security Appliances > Site-to-site VPN > IPsec VPN Lifetimes

IPsec VPN Lifetimes

IPSec VPNs using IKE utilize lifetimes to control when a tunnel will need to re-establish. When these lifetimes are misconfigured an IPSec tunnel will still establish but will show connection loss when these timers expire. This article will cover these lifetimes and possible issues that may occur when they are not matched.

Internet Key Exchange (IKE) includes two phases. More information on IKE can be found here. Each of these phases require a time based lifetime to be configured. Many devices also allow the configuration of a kilobyte lifetime. This secondary lifetime will expire the tunnel when the specified amount of data is transferred.

Cisco Meraki products, by default, use a lifetime of 8 hours (28800 seconds) for both IKE phase 1 and IKE phase 2.

 

When there is a mismatch, the most common result is that the VPN stops functioning when one site expires and the tunnel does not completely rebuild until either the expired site of the tunnel attempts to rebuilt or the longer lifetime fully expires.

Remote Site has Shorter Lifetime(s)

In this situation, the local site will still be sending IPSec datagrams towards the remote peer while the remote peer does not have an active association. In most cases, the tunnel will rebuild when the remote site attempts to rebuild the tunnel (prompted by sending "interesting" traffic toward the VPN route from the remote peer).

Local Site has Shorter Lifetime(s)

In this situation, the remote peer will still be sending IPSec datagrams towards the local site after the lifetime expires. As the inverse of the above, this will typically rebuild when destined for the remote peer's subnets cause the local site to start a new IKE negotiation.

Below is an example of a Cisco ASA configuration snippet configured to work with Cisco Meraki site-to-site VPNs. Please note that this is using the default kilobyte lifetime of 4500 megabytes (4608000 kilobytes). If the VPN connection is expected to pass more data, this must be increased to ensure that the tunnel does not expire before the seconds based lifetime.

.........
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
.........
crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 28800
.........
You must to post a comment.
Last modified
09:04, 3 Jun 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1402

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case