SA
Key Lifetime and Re-Authentication Interval
In IKEv2, two IKE crypto profile values, Key
Lifetime and IKEv2 Authentication Multiple,
control the establishment of IKEv2 IKE SAs. The key lifetime is
the length of time that a negotiated IKE SA key is effective. Before
the key lifetime expires, the SA must be re-keyed; otherwise, upon
expiration, the SA must begin a new IKEv2 IKE SA re-key. The default
value is 8 hours.
The re-authentication interval is derived by multiplying the Key
Lifetime by the IKEv2 Authentication Multiple.
The authentication multiple defaults to 0, which disables the re-authentication feature.
The range of the authentication multiple is 0-50. So, if you
were to configure an authentication multiple of 20, for example,
the system would perform re-authentication every 20 re-keys, which
is every 160 hours. That means the gateway could perform Child SA
creation for 160 hours before the gateway must re-authenticate with
IKE to recreate the IKE SA from scratch.
In IKEv2, the Initiator and Responder gateways have their own
key lifetime value, and the gateway with the shorter key lifetime
is the one that will request that the SA be re-keyed.