IPSec

From: Kyaw Khine (kkhine@register.com)
Date: Mon Sep 30 2002 - 13:23:28 GMT-3

• Next message: Ayman Hamza: "Re: Split-horizon Issue"
• Previous message: Paul Grey: "Split-horizon Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group,

Could anybody shed some light on my IPSec knowledge?

1. I'm confused with ISAKMP lifetime and Crypto map lifetime.
Cryto isakmp policy 10
  lifetime 2400

Crypto map MY-MAP 10 ipsec-isakmp
  set security-association lifetime seconds 4800

I understand ISAKMP is used for key negotiation. That key, in turn, is used
for encryption for IPSec. In above example, if ISAKMP key expires after 2400
seconds, what happen to IPSec lifetime? Will it recalculate? If so, is that
value redundant?
Any guideline for SA lifetime setting?

I read
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_r/fipsencr/srfipsec.htm#xtocid13 (IPSec Network Security Commands) and
still couldn't find answers.

2. The key has to be negotiated after lifetime expire. But the pre-shared
key or CA being used is a static value. Is that key like a seed to generate
key?

Thanks in advance.

• Next message: Ayman Hamza: "Re: Split-horizon Issue"
• Previous message: Paul Grey: "Split-horizon Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:08 GMT-3