64
IKEv2 SA rekeying
For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the
lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If
two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the
SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a
rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two
peers.
IKEv2 message retransmission
Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the
Message ID field in the message header to identify the request/response pair. If an initiator sends a
request but receives no response with the same Message ID value within a specific period of time,
the initiator retransmits the request.
It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must
use the same Message ID value.
Protocols and standards
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
RFC 4306, Internet Key Exchange (IKEv2) Protocol
RFC 4718, IKEv2 Clarifications and Implementation Guidelines
RFC 2412, The OAKLEY Key Determination Protocol
RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)
IKEv2 configuration task list
Determine the following parameters prior to IKEv2 configuration:
The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,
integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide
different levels of protection. A stronger algorithm means better resistance to decryption of
protected data but requires more resources. Typically, the longer the key, the stronger the
algorithm.
The local and remote identity authentication methods.
ï‚¡ To use the pre-shared key authentication method, you must determine the pre-shared key.
ï‚¡ To use the RSA digital signature authentication method, you must determine the PKI
domain for the local end to use. For information about PKI, see "Configuring PKI."
To configure IKEv2, perform the following tasks: