Controller Based WLANs

Why the RAP IKE and IPSEC rekey lifetime configured from apboot doesn't take effect?
Q:

Why the RAP IKE and IPSEC rekey lifetime configured from apboot doesn't take effect? 

 



A:

The RAP IKE and IPSEC rekey lifetime(secs) can be configured for RAP using the below environmental variables in the apboot. 

apboot>setenv ikep1_lifetime <secs>  ----------> IKE Rekey Lifetime.
apboot>setenv ikep2_lifetime <secs>  ----------> IPSEC Rekey Lifetime.

Note#  The default hard-coded lifetime defined on RAP’s are  IKE- 28800 secs (8hrs) ;  IPSEC -7200 secs (2hrs). 

 

The configured value can be verified using the below commands once the RAP is up on the controller. 

(RAP) #show crypto isakmp sa peer <public ip>
(RAP) #show crypto ipsec sa peer <public ip> 

 

Example: 

(Master-7210) #show crypto isakmp sa peer 10.29.165.243 

 Initiator IP: 10.29.165.243
 Responder IP: 10.29.163.2
 Initiator: No
 Initiator cookie:e3cc155dbb8c31b7 Responder cookie:50cabeabb6a60418
 SA Creation Date: Thu Sep 29 21:18:18 2016
 Life secs: 28800
 Initiator Phase1 ID: CN=DZ0011306::f0:5c:19:ca:43:64
 Responder Phase1 ID: CN=BA0006960::00:1a:1e:01:36:70 L=SW
 Exchange Type: IKE_SA (IKEV2) 
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP 2.2.2.2
 IPSEC SA Rekey Number: 1
 Aruba AP
 

(Master-7210) #show crypto ipsec sa peer 10.29.165.243 

 Initiator IP: 10.29.165.243
 Responder IP: 10.29.163.2
 Initiator: No
 SA Creation Date: Thu Sep 29 22:05:09 2016
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2) 
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1 
 Encapsulation Mode Tunnel
 IP Compression Disabled
 PFS: no
 IN SPI: 93CBE600, OUT SPI: B3B1AB00
 CFG Inner-IP 2.2.2.2
 Responder IP: 10.29.163.2

 

Sometimes, we may see the configured lifetime does not reflect in the show command while verifying. The configured lifetime takes effect only for PSK based RAP that negotiates in IKEv1. Lifetime is not negotiated in IKEv2, so for IKEv2 AP, lifetime on controller is always default.  

Version History
Revision #:
2 of 2
Last update:
‎10-18-2016 03:06 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.