Correct! To add something useful to that post, just want to say that even you configure TEK lifetime of 24h, the rekey will trigger every 2h. This is because there is pseudo-time delivered/sync between KS and GMs. The TEK does not change every 2 hours tho.
2012/3/19 Joe Astorino <[email protected]> > I think I figured it out after doing some more reading. I am pretty > certain that the TEK lifetime is the same thing as the IPSEC SA > lifetime configured under the IPSEC profile, but the rekey configured > under the GDOI configuration is actually just for the KEK lifetime. > Correct me if I am wrong please and thank you! > > On Mon, Mar 19, 2012 at 10:20 AM, Joe Astorino > <[email protected]> wrote: > > Hello, > > > > My current understanding is that the TEK pushed down to GMs in GETVPN > > is based on the IPSEC transform-set / profile configured on the KS. > > Under the IPSEC profile we can set the SA lifetime in seconds. At the > > same time, we can set the rekey time in seconds under the GDOI > > configuration. I am a little confused on this topic because to me on > > the surface it seems like the same thing. What is the difference > > between the IPSEC SA lifetime and the rekey lifetime? > > > > I get that after x amount of time the SA keys need refreshed. Is that > > after the SA lifetime expires, or after the rekey time expires? > > > > -- > > Regards, > > > > Joe Astorino > > CCIE #24347 > > http://astorinonetworks.com > > > > "He not busy being born is busy dying" - Dylan > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
