Firewall Wizards mailing list archives
PIX to PIX IPSEC VPN IKE Phase 2 problem
From: Mikael Velschow-Rasmussen <mvr () nworks dk>
Date: Thu, 9 Feb 2006 16:36:59 +0100
Hi ! Just my 2 cents :-) IKE phase 1 (ISAKMP) is using a default lifetime of 86400 seconds. (3600 in the scenario) IKE phase 2 (IPSec) is using 28800 seconds default. (and the scenario is using the default .... .... the default for PIX ver. 6.3 anyhow) I wonder if you can have the IKE control channel (IKE SA) torn down before the 2 unidirectional data channels (the IPSec SA's). Try to set the lifetime lower on the PIX'es. e.g. : Branch PIX 501 crypto map VPN 100 set security-association lifetime seconds 1800 Regards Mikael Velschow-Rasmussen M.Sc.e.e., SANS GCFW #0565 CCIE #9973, CCSI #22493, HP MASE mvr () nworks dk Nworks A/S - http://www.nworks.dk København: Ellekær 8, DK-2730 Herlev Århus: Søren Frichs Vej 38 K, 1. DK-8230 Åbyhøj Tlf: +45 4485 5000 Fax: +45 4485 5001 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 07)
- <Possible follow-ups>
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Horvath, Kevin M. (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 07)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 08)
- Re: PIX to PIX IPSEC VPN IKE Phase 2 problem Julian M D (Feb 08)
- PIX to PIX IPSEC VPN IKE Phase 2 problem Mikael Velschow-Rasmussen (Feb 09)
- RE: PIX to PIX IPSEC VPN IKE Phase 2 problem Joe Keegan (Feb 15)