Yes, that's because of TBAR. 2012/3/19 Joe Astorino <[email protected]>
> Thanks for the confirmation. Regarding the 2 hour rekey, isn't that > due to TBAR being configured? If so, isn't that not on by default? > > On Mon, Mar 19, 2012 at 1:49 PM, Piotr Matusiak <[email protected]> wrote: > > Correct! > > To add something useful to that post, just want to say that even you > > configure TEK lifetime of 24h, the rekey will trigger every 2h. This is > > because there is pseudo-time delivered/sync between KS and GMs. The TEK > does > > not change every 2 hours tho. > > > > > > > > 2012/3/19 Joe Astorino <[email protected]> > >> > >> I think I figured it out after doing some more reading. I am pretty > >> certain that the TEK lifetime is the same thing as the IPSEC SA > >> lifetime configured under the IPSEC profile, but the rekey configured > >> under the GDOI configuration is actually just for the KEK lifetime. > >> Correct me if I am wrong please and thank you! > >> > >> On Mon, Mar 19, 2012 at 10:20 AM, Joe Astorino > >> <[email protected]> wrote: > >> > Hello, > >> > > >> > My current understanding is that the TEK pushed down to GMs in GETVPN > >> > is based on the IPSEC transform-set / profile configured on the KS. > >> > Under the IPSEC profile we can set the SA lifetime in seconds. At the > >> > same time, we can set the rekey time in seconds under the GDOI > >> > configuration. I am a little confused on this topic because to me on > >> > the surface it seems like the same thing. What is the difference > >> > between the IPSEC SA lifetime and the rekey lifetime? > >> > > >> > I get that after x amount of time the SA keys need refreshed. Is that > >> > after the SA lifetime expires, or after the rekey time expires? > >> > > >> > -- > >> > Regards, > >> > > >> > Joe Astorino > >> > CCIE #24347 > >> > http://astorinonetworks.com > >> > > >> > "He not busy being born is busy dying" - Dylan > >> > >> > >> > >> -- > >> Regards, > >> > >> Joe Astorino > >> CCIE #24347 > >> http://astorinonetworks.com > >> > >> "He not busy being born is busy dying" - Dylan > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > > > > > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
