Group Encrypted Transport VPN (GETVPN)

noehdzmll · December 7, 2018, 6:53pm

Hi everybody. I am trying to undestand the TEK and KEK lifetime.
I copied the topology you explained and did extra change like this:

KS1#show run | s crypto
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 86000
crypto isakmp key MY_KEY address 0.0.0.0        
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac 
 mode tunnel
crypto ipsec profile IPSEC_PROFILE
 **set security-association lifetime seconds 120**
 set transform-set TRANSFORM_SET 
crypto gdoi group GDOI_GROUP
 identity number 123
 server local
  **rekey lifetime seconds 360**
  rekey authentication mypubkey rsa RSA_KEYS
  rekey transport unicast
  sa ipsec 10
   profile IPSEC_PROFILE
   match address ipv4 ICMP
   replay counter window-size 64
   no tag
  address ipv4 192.168.1.254
KS1#

I set TEK lifetime: 120 seconds
I set KEK lifetime: 360 seconds

Follow the recomendation of CISCO:
It is recommended that the KEK lifetime value be at least three times greater than the TEK lifetime value

But the problem is when I looked at the logging messages
TEK lifetime update happend each 60 seconds
KEK lifetime update happend each 90 seconds

Like this:

GM1#show log | i SA
*Dec  7 17:05:00.698: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:05:30.702: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x6909E7561CEB0B36BD3039FD96E75C16
*Dec  7 17:06:00.706: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:07:00.720: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:07:00.720: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x390DCED8FF0C1465EF383D03FEA0A2E2
*Dec  7 17:08:00.728: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:08:30.731: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x4C3DBED2CCF6F1B0E72F59CF613F8184
*Dec  7 17:09:00.738: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:10:00.755: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:10:00.755: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xC2A4FE2157A3E03F398AF1B54EE13518
*Dec  7 17:11:00.766: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:11:30.771: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x96DAD8BFF3BB06A7E1573C632996CBCD
*Dec  7 17:12:00.776: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:13:00.812: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:13:00.812: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x41BD870DE6E388DADACB9C5F8238E114
*Dec  7 17:14:00.813: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:14:30.818: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0xC3096D172FCADD883A4FC441DF183384
*Dec  7 17:15:00.813: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:16:00.831: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec  7 17:16:00.832: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated 0x968892E5804CC8AE1AEBF7CCA2864B

I don’t understand why Its happen, or what is the algoritm to calculate this, Do you know?