Thanks for your reply. This is the output of the command show crypto gdoi ks policy
KS1#
KS1#
KS1#show crypto gdoi ks policy
Key Server Policy:
For group GDOI_GROUP (handle: 2147483650) server 192.168.1.254 (handle: 2147483650):
# of teks : 3 Seq num : 1
KEK POLICY (transport type : Unicast)
spi : 0xCC24F40DCEA032105661C392ACB9A5E5
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
orig life(sec): 360 remaining life(sec): 305
time to rekey (sec): 80
sig hash algorithm : enabled sig key length : 162
sig size : 129
sig key name : RSA_KEYS
acknowledgement : Cisco
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x9CAE4C22
access-list : ICMP
transform : esp-aes esp-sha-hmac
alg key size : 16 sig key size : 20
orig life(sec) : 120 remaining life(sec) : 96
tek life(sec) : 120 elapsed time(sec) : 24
override life (sec): 0 antireplay window size: 64
time to rekey (sec): 5
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0x9AFB374A
access-list : ICMP
transform : esp-aes esp-sha-hmac
alg key size : 16 sig key size : 20
orig life(sec) : 120 remaining life(sec) : 66
tek life(sec) : 120 elapsed time(sec) : 54
override life (sec): 0 antireplay window size: 64
time to rekey (sec): n/a
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xB3BAF7A4
access-list : ICMP
transform : esp-aes esp-sha-hmac
alg key size : 16 sig key size : 20
orig life(sec) : 120 remaining life(sec) : 36
tek life(sec) : 120 elapsed time(sec) : 84
override life (sec): 0 antireplay window size: 64
time to rekey (sec): n/a
KS1#
KS1#
I found a formula to obtain rekey time in Key Server
I my KS log obtain total 3 retrasmision each 30 seconds.
*Dec 17 16:39:18.024: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 3 spi: 0x85C167F44D66C3AFFDA289BAEE2AE52
*Dec 17 16:39:48.061: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 1 spi: 0x56AE30A25EA34D8263D843028FFB944
*Dec 17 16:40:18.043: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 2 spi: 0x56AE30A25EA34D8263D843028FFB944
*Dec 17 16:40:48.067: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 3 spi: 0x56AE30A25EA34D8263D843028FFB944
*Dec 17 16:41:18.077: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 1 spi: 0xCA95B4D75C965A03FDDDC842A003903E
*Dec 17 16:41:48.049: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 2 spi: 0xCA95B4D75C965A03FDDDC842A003903E
*Dec 17 16:42:18.089: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 3 spi: 0xCA95B4D75C965A03FDDDC842A003903E
*Dec 17 16:42:48.059: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 1 spi: 0xBEC9F965F22735F71440DAA68F7FD73
*Dec 17 16:43:18.066: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group GDOI_GROUP from address 192.168.1.254 with seq # 2 spi: 0xBEC9F965F22735F71440DAA68F7FD73
KS1#
I read a little bit about it. I guess that GM and KS overlap old and the new IPsec SA SPI, becouse in the document say
“The GM expects a KEK rekey to occur at least 200 seconds prior to the the current KEK expiry”