IKE regeneration time

skygremlin · June 13, 2019, 3:51pm

I’m working in my lab on some site-to-site VPN stuff and was wondering if someone could help me. Understand something…

My Setup is asa5505 <-> rtr2801 <-> rtr2911 <-> asa5505

I’m trying to verify that my IKE’s are regenerating every 15 minutes…. Below are some CLI outputs… Does this tell me that the life of the IKE’s is 900 seconds after the slash is time left… And Turned-id is the new tunnel with the new IKE’s

ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 69714249           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/810 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
193031137           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/5 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
288927687           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/816 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
362523125           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/26 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#

lagapidis · June 14, 2019, 5:40am

A post was merged into an existing topic: Cisco ASA Site-to-Site IKEv2 IPSEC VPN