Table of Contents
Advertisement
*When all Internet traffic is made to the IPsec tunnel.
■Rekey timing
Rekey timing of IKE SA/IPsec SA is determined from the IKE Phase 1/Phase 2 lifetime.
Furthermore, rekey timing is determined at random between 70% to 85% of the lifetime.
*Lifetime of IKE_SA_INIT exchange/IKE_AUTH exchange is applicable to IKEv2
[Example]
When IKE Phase 1 lifetime is 28,800 seconds
28800 x 0.70 = 20160 seconds [Minimum value]
28800 x 0.85 = 24480 seconds [Maximum value]
■Local and remote IDs of IKE v1 IKE Phase 1/Phase 2 are treated as follows.
Phase
Mode
IKE
main
Phase1
mode
(=Ph1)
aggressive
mode
ALL:ALL
Rekey is executed during this time.
Behavior
Peer
Direction
initiator
1
Send
Receive
from peer
responder
1
Send
Receive
from peer
Send
initiator
1
Receive
from peer
responder
1
Send
(any)
Receive
*
from peer
0.0.0.0/0 or not specified
(blank)
IKE (IKE Phase1)
local-id
Send in sequence
5
Compare with
remote-id of local
station.
Send in sequence
6
Compare with
remote-id of local
station.
Send in sequence
1
Compare with
remote-id of local
station.
Send in sequence
2
Compare with
remote-id of local
station.
|Setting/Setting Confirmation
0.0.0.0/0 or not specified
(blank)
IPsec (IKE Phase2)
remote-id
local-id
Not sent
Unused
Not sent
Unused
Not sent
Unused
Not sent
Unused
remote-id
223
Advertisement
Table of Contents
