Which of the following statements is true regarding the SA lifetime specified in a matching IKE policy? (Select
the best answer.)
A.
The value specified by the remote peer must be equal to the value specified by the local peer.
B.
The value specified by the remote peer must be less than or equal to the value specified by the local peer.
C.
The value specified by the remote peer must be greater than or equal to the value specified by the local
peer.
D.
The value specified by the remote peer must be less than the value specified by the local peer.
E.
The value specified by the remote peer must be greater than the value specified by the local peer.
Explanation:
In an Internet Key Exchange (IKE) policy, the security association (SA) lifetime specified by the remote peer
must be less than or equal to the value specified by the local peer. Virtual private network (VPN) peers
establish a connection through a series of negotiations and authentications. Initially, the VPN peers negotiate
an IKE SA and establish a tunnel for key management and authentication. This initial phase is referred to as
IKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP Security (IPSec)
SAs. This secondary negotiation phase is referred to as IKE phase 2.Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to
negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in an
IKE policy:
Policy priority – specifies the order in which policies are negotiated with a peer
Authentication method – indicates whether a preshared key or an RSA digital certificate is used to verify the
identity of an IKE peer
Encryption algorithm – indicates the data protection method used to secure IKE traffic
Hashbased Message Authentication Code (HMAC) algorithm – indicates the data integrity method used
to verify the integrity of IKE traffic
DiffieHellman (DH) group – specifies how keying material is generated between IKE peers
Lifetime – specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24
hours
If an IKE policy does not specify a parameter and its associated value, the VPN peer will use the default value
by default. For example, the default IKE policy settings for a Cisco Apative Security Appliance (ASA) running
software revision 8.4 or higher are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running
configuration. For example, because the following block of commands does not specify an HMAC algorithm,
the ASA would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1
ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must
agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the IKE policy
is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match to one of
ASA2’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the
IKE lifetime parameter. An IKE lifetime is considered a match if the value is less than or equal to the IKE
lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the router will use
the lesser of the two values. For example, when ASA1 initiates a connection to ASA2, ASA1 will only consider
lifetime values from ASA2’s policies as matching if they are less than or equal to 14,400 seconds.Cisco: Cisco IOS Security Command Reference: lifetime (IKE policy)
