Thanks for the confirmation. Regarding the 2 hour rekey, isn't that due to TBAR being configured? If so, isn't that not on by default?
On Mon, Mar 19, 2012 at 1:49 PM, Piotr Matusiak <[email protected]> wrote: > Correct! > To add something useful to that post, just want to say that even you > configure TEK lifetime of 24h, the rekey will trigger every 2h. This is > because there is pseudo-time delivered/sync between KS and GMs. The TEK does > not change every 2 hours tho. > > > > 2012/3/19 Joe Astorino <[email protected]> >> >> I think I figured it out after doing some more reading. I am pretty >> certain that the TEK lifetime is the same thing as the IPSEC SA >> lifetime configured under the IPSEC profile, but the rekey configured >> under the GDOI configuration is actually just for the KEK lifetime. >> Correct me if I am wrong please and thank you! >> >> On Mon, Mar 19, 2012 at 10:20 AM, Joe Astorino >> <[email protected]> wrote: >> > Hello, >> > >> > My current understanding is that the TEK pushed down to GMs in GETVPN >> > is based on the IPSEC transform-set / profile configured on the KS. >> > Under the IPSEC profile we can set the SA lifetime in seconds. At the >> > same time, we can set the rekey time in seconds under the GDOI >> > configuration. I am a little confused on this topic because to me on >> > the surface it seems like the same thing. What is the difference >> > between the IPSEC SA lifetime and the rekey lifetime? >> > >> > I get that after x amount of time the SA keys need refreshed. Is that >> > after the SA lifetime expires, or after the rekey time expires? >> > >> > -- >> > Regards, >> > >> > Joe Astorino >> > CCIE #24347 >> > http://astorinonetworks.com >> > >> > "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
