I think I figured it out after doing some more reading. I am pretty certain that the TEK lifetime is the same thing as the IPSEC SA lifetime configured under the IPSEC profile, but the rekey configured under the GDOI configuration is actually just for the KEK lifetime. Correct me if I am wrong please and thank you!
On Mon, Mar 19, 2012 at 10:20 AM, Joe Astorino <[email protected]> wrote: > Hello, > > My current understanding is that the TEK pushed down to GMs in GETVPN > is based on the IPSEC transform-set / profile configured on the KS. > Under the IPSEC profile we can set the SA lifetime in seconds. At the > same time, we can set the rekey time in seconds under the GDOI > configuration. I am a little confused on this topic because to me on > the surface it seems like the same thing. What is the difference > between the IPSEC SA lifetime and the rekey lifetime? > > I get that after x amount of time the SA keys need refreshed. Is that > after the SA lifetime expires, or after the rekey time expires? > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
