Should Keylifes match on a IPSEC?

DANMOH009DANMOH009 Posts: 241Member
I appreciate this may be a security based question.

But was wondering what you guys recommend either the correct way or best practices.

I understand you have the time out interval in phase 1 (lifetime) and a keylife interval in phase 2.

Now my brief understanding is that life time is basically an idle time out for the phase 1 and key life is the lifetime before new keys generate (if im wrong please let me know).

I have heard that the keylife (phase 2) should be the same on both side's But i have also heard that if they are the same on both sides then they will both try to renew their keys and this causes problems.

Can someone advise me what is correct?




  • TechGuy215TechGuy215 CISSP, CEH, CHFI, CCNA: R&S, CCNA: Security, ITIL-F, LPIC-1, A+, Network+, Security+, Linux+, Projec Philadelphia, PAPosts: 404Member ■■■■□□□□□□
    IKE Phase -1 (ISAKMP) life time should be greater than IKE Phase-2 (IPSec) life time . 86400 sec (1 day) is a common default and is normal value for Phase 1 and 3600 (1 hour) is a common value for Phase 2.

    Phase 1 doesn't neccessariy have to be equal, but phase 2 should be equal.
    * Currently pursuing: PhD: Information Security and Information Assurance
    * Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
    * Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration
  • DANMOH009DANMOH009 Posts: 241Member
    Ahh great thanks.

    What happens if they are not equal can you explain what would occur?
Sign In or Register to comment.