IPsec VPN Lifetimes
IPsec VPNs using IKE utilize lifetimes to control when a tunnel will need to re-establish. When these lifetimes are misconfigured, an IPsec tunnel will still establish but will show connection loss when these timers expire. This article will cover these lifetimes and possible issues that may occur when they are not matched.
Internet Key Exchange (IKE) includes two phases. More information on IKE can be found here. Each of these phases requires a time-based lifetime to be configured. Many devices also allow the configuration of a kilobyte lifetime. This secondary lifetime will expire the tunnel when the specified amount of data is transferred.
Cisco Meraki products, by default, use a lifetime of 8 hours (28800 seconds) for both IKE phase 1 and IKE phase 2.
When there is a mismatch, the most common result is that the VPN stops functioning when one site's lifetime expires. The tunnel does not completely rebuild until either the site with an expired lifetime attempts to rebuild, or the longer lifetime fully expires.
Remote Site has Shorter Lifetime(s)
In this situation, the local site will still be sending IPsec datagrams towards the remote peer while the remote peer does not have an active association. In most cases, the tunnel will rebuild when the remote site attempts to rebuild the tunnel (prompted by sending interesting traffic toward the VPN route from the remote peer).
Local Site has Shorter Lifetime(s)
In this situation, the remote peer will still be sending IPsec datagrams towards the local site after the lifetime expires. As the inverse of the above, this will typically rebuild when traffic destined for the remote peer's subnets cause the local site to start a new IKE negotiation.
Below is an example of a Cisco ASA configuration snippet configured to work with Cisco Meraki site-to-site VPNs. Please note that this is using the default kilobyte lifetime of 4500 megabytes (4608000 kilobytes). If the VPN connection is expected to pass more data, this must be increased to ensure that the tunnel does not expire before the time-based lifetime.
......... crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 ......... crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 .........