The global lifetime values which are used when negotiating new IPSec
security associations
can be changed.
These global lifetime values can be overridden for a particular crypto map
entry.
These lifetimes only apply to security associations established via IKE.
Manually established security associations do not expire.
There are two
lifetimes. These are a timed lifetime and a traffic-volume lifetime. A security
association expires after the first of these lifetimes is reached. The default
lifetimes are 3,600 seconds, or one hour, and 4,608,000 kilobytes, or ten
megabits per second for one hour.
If a global lifetime is changed, the
new lifetime value will not be applied to currently existing security
associations, but will be used in the negotiation of subsequently established
security associations. To use the new values immediately, all or part of the
security association database can be cleared. Refer to the clear
crypto sa command for more details.
IPSec security
associations use one or more shared secret keys. These keys and their security
associations time out together.
How These Lifetimes
Work
Assuming that the particular crypto map entry does not have
lifetime values configured, when the router requests new security associations
it will specify its global lifetime values in the request to the peer. It will
use this value as the lifetime of the new security associations. When the
router receives a negotiation request from the peer, it will use the smaller of
either the lifetime value proposed by the peer or the locally configured
lifetime value as the lifetime of the new security associations.
The
security association, and corresponding keys, will expire according to
whichever comes sooner, either after the number of seconds has passed, as
specified by the seconds keyword, or after the amount of
traffic in kilobytes is passed, as specified by the
kilobytes keyword. Security associations that are
established manually, with a crypto map entry marked as
ipsec-manual, have an infinite lifetime.
A new
security association is negotiated before the lifetime threshold of the
existing security association is reached, to ensure that a new security
association is ready for use when the old one expires. The new security
association is negotiated either 30 seconds before the timed lifetime expires,
or when the volume of traffic through the tunnel reaches 256 kilobytes less
than the kilobytes specified in the traffic-volume lifetime, whichever comes
first.
If no traffic has passed through the tunnel during the entire
life of the security association, a new security association is not negotiated
when the lifetime expires. Instead, a new security association will be
negotiated only when another packet that should be protected by IPSec is
detected.