Microsoft KB Archive/256257

= Internet Key Exchange Security Association Expires Based on the Quick-Mode Lifetime Value =

Article ID: 256257

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q256257





SYMPTOMS
When you configure the Internet Key Exchange (IKE) Main-mode lifetime to a value lower than the value configured for the IKE Quick-mode lifetime, the IKE Quick-mode security association (SA) expires based on the Quick-mode lifetime value.



STATUS
This behavior is by design.



MORE INFORMATION
Quick-mode SAs remain active regardless of the Main-mode lifetime value, and can be used by a connection that is using Internet Security Protocol (IPSec) after the Main-mode SA expires. Changing this behavior could create interoperability issues with Cisco IOS.

To configure Main-mode and Quick-mode key exchange lifetime settings:

Main Mode

 * 1) Start the IP Security Policies on Local Machine snap-in by using Microsoft Management Console (MMC).
 * 2) Double-click the appropriate Internet Protocol (IP) security policy, click the General tab, and then click Advanced. You can configure Main-mode key exchange lifetime settings by using the Key Exchange Settings dialog box.

Quick Mode

 * 1) Start the IP Security Policies on Local Machine snap-in.
 * 2) Double-click the appropriate IP security policy, click the Rules tab, click the appropriate IP security rule, and then click Edit.
 * 3) Click the Filter Action tab, click the appropriate filter action, and then click Edit.
 * 4) Click the appropriate security method, click Edit, and then click Settings. You can configure Quick-mode key exchange lifetime settings by using the Session Key Settings dialog box.

Additional query words: oakley

Keywords: kbipsec kbprb KB256257

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.