-
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
-
Overview: Secure Connectivity
-
Internet Key Exchange for IPsec VPNs
-
Configuring Internet Key Exchange for IPsec VPNs
-
Call Admission Control for IKE
-
Certificate to ISAKMP Profile Mapping
-
Encrypted Preshared Key
-
Fragmentation of IKE Packets
-
IKE Responder-Only Mode
-
Distinguished Name Based Crypto Maps
-
IPsec and Quality of Service
-
VRF-Aware IPsec
-
IKE: Initiate Aggressive Mode (12.2(8)T FM)
-
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Sharing IPsec with Tunnel Protection
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management Plane
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
-
Cisco Group Encrypted Transport VPN
- SSL VPN
-
Table Of Contents
IPsec Security Association Idle Timers
Prerequisites for IPsec Security Association Idle Timers
Information About IPsec Security Association Idle Timers
Lifetimes for IPsec Security Associations
IPsec Security Association Idle Timers
Benefits of IPsec Security Association Idle Timers
How to Configure IPsec Security Association Idle Timers
Configuring the IPsec SA Idle Timer Globally
Configuring the IPsec SA Idle Timer per Crypto Map
Configuration Examples for IPsec Security Association Idle Timers
Configuring the IPsec SA Idle Timer Globally Example
Configuring the IPsec SA Idle Timer per Crypto Map Example
IPsec Security Association Idle Timers
When a router running the Cisco IOS software creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. The IPsec Security Association Idle Timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. Benefits of this feature include:
•
Increased availability of resources
•
Feature Specifications for IPsec Security Association Idle Timers
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
•
Prerequisites for IPsec Security Association Idle Timers
You must configure Internet Key Exchange (IKE) as described in Internet Key Exchange for IPsec VPNs.
Information About IPsec Security Association Idle Timers
To configure the IPsec Security Association Idle Timers feature, you must understand the following concepts:
•
•
•
Lifetimes for IPsec Security Associations
The Cisco IOS software currently allows the configuration of lifetimes for IPsec SAs. Lifetimes can be configured globally or per crypto map. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.
IPsec Security Association Idle Timers
The IPsec SA idle timers are different from the global lifetimes for IPsec SAs. The expiration of the global lifetime is independent of peer activity. The IPsec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
Note
Benefits of IPsec Security Association Idle Timers
Increased Availability of Resources
Configuring the IPsec Security Association Idle Timers feature increases the availability of resources by deleting SAs associated with idle peers.
Improved Scalability of Cisco IOS IPsec Deployments
Because the IPsec Security Association Idle Timers feature prevents the wasting of resources by idle peers, more resources will be available to create new SAs as required.
How to Configure IPsec Security Association Idle Timers
•
•
Configuring the IPsec SA Idle Timer Globally
This task configures the IPsec SA idle timer globally. The idle timer configuration will be applied to all SAs.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring the IPsec SA Idle Timer per Crypto Map
This task configures the IPsec SA idle timer for a specified crypto map. The idle timer configuration will be applied to all SAs under the specified crypto map.
Note
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for IPsec Security Association Idle Timers
•
•
Configuring the IPsec SA Idle Timer Globally Example
The following example globally configures the IPsec SA idle timer to drop SAs for inactive peers after 600 seconds:
crypto ipsec security-association idle-time 600Configuring the IPsec SA Idle Timer per Crypto Map Example
The following example configures the IPsec SA idle timer for the crypto map named test to drop SAs for inactive peers after 600 seconds:
crypto map test 1 ipsec-isakmpset security-association idle-time 600
Note
Additional References
For additional information related to IPsec Security Association Idle Timers, see the following sections:
•
•
Related Documents
Additional information about configuring IKE
Additional information about configuring global lifetimes for IPsec SAs
•
Additional Security commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
