Microsoft KB Archive/256257

From BetaArchive Wiki
Knowledge Base

Article ID: 256257

Article Last Modified on 2/28/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition

This article was previously published under Q256257


When you configure the Internet Key Exchange (IKE) Main-mode lifetime to a value lower than the value configured for the IKE Quick-mode lifetime, the IKE Quick-mode security association (SA) expires based on the Quick-mode lifetime value.


This behavior is by design.


Quick-mode SAs remain active regardless of the Main-mode lifetime value, and can be used by a connection that is using Internet Security Protocol (IPSec) after the Main-mode SA expires. Changing this behavior could create interoperability issues with Cisco IOS.

To configure Main-mode and Quick-mode key exchange lifetime settings:

Main Mode

  1. Start the IP Security Policies on Local Machine snap-in by using Microsoft Management Console (MMC).
  2. Double-click the appropriate Internet Protocol (IP) security policy, click the General tab, and then click Advanced. You can configure Main-mode key exchange lifetime settings by using the Key Exchange Settings dialog box.

Quick Mode

  1. Start the IP Security Policies on Local Machine snap-in.
  2. Double-click the appropriate IP security policy, click the Rules tab, click the appropriate IP security rule, and then click Edit.
  3. Click the Filter Action tab, click the appropriate filter action, and then click Edit.
  4. Click the appropriate security method, click Edit, and then click Settings. You can configure Quick-mode key exchange lifetime settings by using the Session Key Settings dialog box.

Additional query words: oakley

Keywords: kbipsec kbprb KB256257