ipsec s2s vpn question
Actually, I asked this question on another forum, but haven't yet receive an answer, so, I'm asking it here, even it's really not CCIE-level question.
I've got couple of questions concerning ipsec s2s vpn. Hope someone will
help me, because i can't get answers to my dumb questions.
I'm just labbing a simple topology in gns3 and playing around trying to understand ipsec s2s vpn.
And i got confusedwith this:
when defining ISAKMP policy you can specify a lifetime
crypto isakmp policy 10
<60-86400> lifetime in seconds
even if you define this only on one side, the lowest value would be taken and IKE phase 1 will last only 60 seconds for example.
The main question is - when 60 seconds are gone, IKE phase 2 tunnel (ipsec) feels ok, it's doesn't get purged, it passes traffic through, everything is ok
So... my confusion is - i thought that phase 2 can not exist without underlying alive and up phase 1. Am i wrong?
Default ipsec SA lifetime is 1 hour.
After 1 hour both sides will purge ipsec SA and try to estabilish new one with the brand new key for symmetric-key enc algorithm.
Am i right?
I've got Q3, but i should get answer to one of these to correctly state my Q3.
Thanks a lot, sorry for my english.