Network Security
Change the Key Lifetime or Authentication Interval for IKEv2
Table of Contents
Change the Key Lifetime or Authentication Interval for IKEv2
| Where Can I Use This? | What Do I Need? |
|---|---|
| No license required |
In IKEv2, two IKE Crypto profile values, Key Lifetime and
IKEv2 Authentication Multiple, control the establishment
of IKEv2 IKE SAs. The key lifetime is the length of time that a negotiated IKE SA
key is effective. Before the key lifetime expires, the SA must be re-keyed;
otherwise, upon expiration, the SA must begin a new IKEv2 IKE SA re-key. The default
value is 8 hours.
The reauthentication interval is derived by multiplying the Key
Lifetime by the IKEv2 Authentication
Multiple. The authentication multiple defaults to 0, which disables the
reauthentication feature.
The range of the authentication multiple is 0-50. So, if you were to configure an
authentication multiple of 20, for example, the system would perform
reauthentication every 20 re-keys, which is every 160 hours. That means the gateway
could perform Child SA creation for 160 hours before the gateway must reauthenticate
with IKE to recreate the IKE SA from scratch.
In IKEv2, the Initiator and Responder gateways have their own key lifetime value, and
the gateway with the shorter key lifetime is the one that will request that the SA
be re-keyed.
This task is optional; the default setting of the IKEv2 IKE SA re-key lifetime is 8
hours. The default setting of the IKEv2 Authentication Multiple is 0, meaning the
reauthentication feature is disabled.
To change the default values, perform the following task. A prerequisite is that an
IKE Crypto profile already exists.
- Change the SA key lifetime or authentication interval for an IKE Crypto profile.
- Select and select the IKE Crypto profile that applies to the local gateway.For the Key Lifetime, select a unit (Seconds, Minutes, Hours, or Days) and enter a value. The minimum is 3 minutes.For IKE Authentication Multiple, enter a value, which is multiplied by the lifetime to determine the reauthentication interval.Commit your changes.Click OK and Commit.
