Share via

IKEv2 Main Mode Phase 1 SA lifetime wrong in downloadable configuration

Jasper Versteegh 45 Reputation points
2025-12-17T09:41:44.4666667+00:00

Contrary to what the Azure VPN configuration shows under "Download configuration," the IKEv2 Main Mode Phase 1 SA lifetime and the IPsec Quick Mode Phase 2 SA lifetime are not the same. In the export, it appears as if both have the same value, but that's not correct. The IKE Main Mode SA lifetime is fixed at 28,800 seconds on Azure VPN gateways.

When my VPN Gateway has the following ipsecPolicies:

"ipsecPolicies": [
            {
                "saLifeTimeSeconds": 86400,
                "saDataSizeKilobytes": 0,
                "ipsecEncryption": "AES256",
                "ipsecIntegrity": "SHA256",
                "ikeEncryption": "AES256",
                "ikeIntegrity": "SHA256",
                "dhGroup": "DHGroup14",
                "pfsGroup": "PFS2048"
            }
        ],

The Download configuration with the following settings Device vendor: Generic Samples, Device family: Device Parameters, Firmware version: Generic-Samples-Device-Parameters shows:

! [2] IPsec/IKE parameters
!
!   > IKE version:             IKEv2
!     + Encryption algorithm:  aes-cbc-256
!     + Integrityalgorithm:    sha256
!     + Diffie-Hellman group:  14
!     + SA lifetime (seconds): 86400
!     + UsePolicyBasedTS:      False
!
!   > IPsec
!     + Encryption algorithm:  esp-aes 256
!     + Integrity algorithm:   esp-sha256-hmac
!     + PFS Group:             group14
!     + SA lifetime (seconds): 86400

This shows the IKEv2 Main Mode Phase 1 SA lifetime to be 86400s (24 hours). This is incorrect, as the IKE Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways. It cannot be 86400s. Please fix the export functionality as this took us literally hours and days troubleshooting connections.

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

Answer accepted by question author

Vallepu Venkateswarlu 9,830 Reputation points Microsoft External Staff Moderator
2025-12-17T12:33:58.5733333+00:00

Hi @Jasper Versteegh,

Welcome to Microsoft Q&A Platform.

As per the Default IPsec/IKE parameters , the IKE Phase 1 (Main Mode) SA lifetime is fixed at 28,800 seconds for Azure VPN Gateways and cannot be changed for both policy-based and route-based gateways.

User's image Please configure your on-premises VPN devices according to the Microsoft-documented IKE/IPsec parameters mentioned above.**

Regarding the export inconsistency, you can submit feedback through the Azure portal .

The team will review it and make any necessary updates.
You can submit this issue through: Azure Portal → Help + support ---> Give feedback .

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

This will help us and others in the community as well.

Was this answer helpful?

0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.