Understanding Rekey Messages
If the group is configured for server-member communications (see Understanding Server-Member Communication ), the server periodically sends SA and key refreshes to group members with rekey (GDOI groupkey-push) messages. Rekey messages are sent before SAs expire; this ensures that valid keys are available for encrypting traffic between group members.
The server also sends rekey messages to provide new keys to members when there is a change in group membership or the group SA has changed (for example, a group policy is added or deleted).
Server-member communications options must be configured on the server to allow the server to send rekey messages to group members. These options specify the type of message and the intervals at which the messages are sent, as explained in the following sections:
Types of Rekey Messages
There are two types of rekey messages:
- Unicast rekey messages—The group server sends one
copy of the rekey message to each group member. Upon receipt of the
rekey message, members must send an acknowledgment (ACK) to the server.
If the server does not receive an ACK from a member (including retransmission
of rekey messages), the server considers the member to be inactive
and removes it from the membership list. The server stops sending
rekey messages to the member.
The number-of-retransmission and retransmission-period configuration statements for server-member communications control the resending of rekey messages by the server when no ACK is received from a member.
- Multicast rekey messages—The group server sends
one copy of the rekey message from the specified outgoing interface
to the configured multicast group address. Members do not send acknowledgment
of receipt of multicast rekey messages. The registered membership
list does not necessarily represent active members because members
might drop out after initial registration. All members of the group
must be configured to support multicast messages.

Note: IP multicast protocols must be configured to allow delivery of multicast traffic in the network. For detailed information about configuring multicast protocols on Juniper Networks devices, see the Junos Multicast Protocols Configuration Guide.
Rekey Intervals
The interval at which the server sends rekey messages is calculated
based on the values of the lifetime-seconds and activation-time-delay configuration statements at the [edit security group-vpn server
group] hierarchy. The interval is calculated as lifetime-seconds minus 4*(activation-time-delay).
The lifetime-seconds for the KEK is configured as
part of the server-member communications; the default is 3600 seconds.
The lifetime-seconds for the TEK is configured for the IPsec
proposal; the default is 3600 seconds. The activation-time-delay is configured for the group on the server; the default is 15 seconds.
Using the default values for lifetime-seconds and activation-time-delay, the interval at which the server sends rekey messages is 3600 minus 4*15, or 3540 seconds.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding the GDOI Protocol
- Understanding Group Servers and Members
- Understanding Group Keys
- Understanding Key Activation
- Understanding Member Reregistration
- Group VPN Configuration Overview
Hide Navigation Pane
Show Navigation Pane
Download
SHA1