Cisco Default IPSEC Lifetime?

Ebteasa · March 13, 2025, 4:05pm

Hi

I always thought the default IPSEC lifetime was 3600 seconds aka 1 hour… Now looking at a Cisco Firepower Management Center, the default lifetime under the IPSEC section of a Site-to-Site VPN Tunnel says “Tunnel Duration: 28800 Seconds”

Google shows mixed results, some people say the default timer on ASA, and IOS Routers are 3600, while others say it’s the same as on the FMC…

Does anyone know why the default IPSEC Lifetime is 28800 and not 3600 and whether different Cisco products have different default lifetimes? And can you get the IPSEC Tunnel up if both ends have different lifetimes? I know Phase 1 (ISAKMP) can negotiate the tunnel with lifetime mismatch, in that case, the lowest lifetime is used, but is it the same for IPSEC?

BOOZy1 · March 13, 2025, 4:05pm

28800 is a typical phase1 lifetime. Are you sure you’re looking at phase2?

Also, while not optimal, Cisco devices are pretty good with compensating from non matching lifetimes at each end.

Memitim901 · March 13, 2025, 4:05pm

The default time is 86,400 seconds.

The real gotcha with Cisco VPNs is that they have a hidden default Lifesize for the VPN.

fipsifips1 · March 13, 2025, 4:05pm

Referring to the official doc

It should be 24hours - Default protection suite

shivellebits · March 13, 2025, 4:05pm

3600 was default for ikev1 and older devices I believe and 28800 default (phase 2) for ikev2 and more recent devices - though on most devices the lifetime can be changed to whatever you want no matter the Ike version.

You can get tunnels up and passing traffic with mismatched lifetimes on both phase 1 and phase 2 but you will almost certainly run into issues such as the tunnel tearing itself down and renegotiating whilst still in use, resulting in a temporary loss of service for the end users.

Ebteasa · March 13, 2025, 4:06pm

No, 86400 seconds (1 Day) is default for Phase 1, right? And apparently 28800 seem to be default for IPSEC (4 Hours). There are so many other documents though, that says the default IPSEC lifetime is 3600 seconds (1 Hour). So i can’t figure out whether Cisco has multiple different default timers for IPSEC depending on the product.

If you google you will find many examples from older ASA versions and Routers displaying the default ipsec lifetime as 3600 seconds, but on the FMC UI, it seem to be 4 hours now.

JuniperMS · March 13, 2025, 4:06pm

The default for phase 1 is 86,400 seconds, but phase 2 (IPsec) it’s 28,800 seconds or 4,608,000 kilobytes - whichever comes first. There are different “default” timers for phase 2 though. On an ASR1006 the default phase 2 time is 3,600 seconds. It just comes down to the type of equipment. Also, you can disable lifetime kilobytes, too, which I recommend.

Memitim901 · March 13, 2025, 4:06pm

That sounds correct I’d have to look it up again just like I do everytime it bites me in the ass.