Below is the keynote for configuring the Branch-2-Branch IPsec lifetime and rekey values. 

 

 

From the default configuration pushed from workflow, B2B IPsec lifetime and rekey value are set to 28800 and 6300 seconds, respectively. However, these values are not exactly gets programmed in the data-plane. In order to avoid a large-gap between those two timers, our backend system programs the rekey value equal to 70% of the lifetime provided. 


A very lower value of rekey results in faster key replacement compare to life-time. It is recommended to have the rekey-timer at 80% of life-time value.

 

 

For example: If you configure lifetime as 2048 seconds and rekey value as 240 seconds which is lowest limit as well. 

This will reflect into cli configuration as it is however the actual value of the rekey timer will be programmed as 1433 seconds which is 70% of the lifetime(2048 seconds).

 

 

admin@cpe1-cli> show configuration orgs org-services Tenant-1 ipsec branch-sdwan-profile

branch-sdwan-profile b2b-sdwan {

    life-time  2048;

    rekey-time 240;

}

 

vsm-vcsn0> show dhkey site 2 101

 

GTnt:LTnt:Site    : 2:2:101

Prof-name         : b2b-sdwan

Timers            : Lifetime 2048s, Rekey in 1433s        <<<<<<<<<<<<


DH-Groups         : Config [19] Capability mask [0x00000040] = G { 19,}

Transforms        : Config [10] Capability mask [0x00000400] = T { 10,}

 

Self-Key Table: 1

 

  Key-id  State  -Tsec     Groups

--------------------------------

  0x0005    UP    869 *    G { 19,}

 

Peer Key-Exch Table: 3

 

Peer-associations Table: 3

       Peer

  [id/pkey/skey]         IP       state     Age

-----------------------------------------------

  00103:0x03:0x05       10.0.0.12   UP     1169

  00102:0x05:0x05       10.0.0.10   UP     1169

  00104:0x03:0x05       10.0.0.14   UP     1169

  


You can also verify the same using vsmd vty command "show ipsec config 0 all". You can specify the tenant-id instead of 0 if the device serving multiple tenants.

 

 

Name = b2b-sdwan (Obj ID = 1, VPN ID = 2)

   SD-WAN Info:

        Globl-tnt : 2

        Local-tnt : 2

        Branch-ID : 101

   Crypto Info:

        DH Group  : 19

        Transform : 10

        Lifetime  : 2048 sec                        <<<<<<<<<<<<<<<<<

        Rekeytime : 1433 sec                        <<<<<<<<<<<<<<<<<

   Tun if Info:

        Tun Iface : ptvi1026

        Tun VRF   : Tenant-1-Control-VR (10)

        IKE Local : 10.0.0.9

        ESP Local : 10.0.0.8

 


Note: rekey value configuration is only applicable to stateless B2B IPsec and not configurable for Branch to controller stateful IPsec. For Branch to Controller, you can only modify the lifetime and rekey time gets adjusted accordingly.