Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is the Rekey option under VPN Monitor?

0

0

Article ID: KB6121 KB Last Updated: 17 Feb 2021Version: 7.0
Summary:
Rekey keeps the VPN SA active, even if there is no other VPN traffic; except for the ICMP echo requests (pings) that are sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 SA is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.
Symptoms:
What is the Rekey option under VPN Monitor?

Problem environment:

  • VPNs > AutoKey IKE Advanced Page

  • Rekey checkbox in VPN Monitor section
Solution:
The Rekey option under VPN Monitor is another method for the Juniper firewall to perform re-keys, when it detects that the tunnel is down. When the VPN Monitor determines that the tunnel is down, the VPN Monitor will initiate a rekey.  This is similar to the IKE heartbeat rekey; with the exception that it uses the VPN Monitor mechanism.

The Rekey option cannot be used alone; it has to be used with VPN monitor.

It works in the following way:

If you enable the rekey option, along with the VPN monitor, without optimization, the security device starts to immediately send ICMP echo, when the tunnel configuration is complete and continues to send them indefinitely. The echo requests trigger an attempt to initiate IKE negotiations to establish a VPN tunnel, until the state of VPN monitoring for the tunnel is up. The security device then uses the pings for VPN monitoring purposes. If the state of VPN monitoring for the tunnel changes from up to down, the security device de-activates its Phase 2 security association (SA) for that peer.

If you do not enable Rekey with the VPN monitor, then the VPN will no longer send echo requests, when the VPN tunnel is marked as down by the VPN monitor. But, when the Rekey option is enabled, the security device continues to send echo requests to its peer at defined intervals; which triggers attempts to reinitiate IKE Phase 2 negotiations and Phase 1 negotiations, if necessary, until it succeeds.

At that point, the security device re-activates Phase 2 SA, generates a new key, and re-establishes the tunnel. A message is generated in the event log, which states that a successful rekey operation has occurred.

You can use the rekey option to ensure that an AutoKey IKE tunnel is always up, perhaps to monitor devices at the remote site or allow dynamic routing protocols to learn routes at a remote site and transmit messages via the tunnel. Another use, to which you can apply VPN monitoring with the rekey option, is for automatic population of the next-hop tunnel binding table (NHTB table) and the route table, when multiple VPN tunnels are bound to a single tunnel interface. This is applicable to VPN with Juniper Peers only, as for other 3rd party peers, you need to manually configure NHTB.


To enable the VPN Rekey:

Via the WebUI:

Go to VPNs > AutoKey IKE > Edit:


Via the CLI:
set vpn <VPN NAME/ PHASE2 NAME> monitor <optimized> rekey

For more information about the Optimized feature, refer to KB9522 - [ScreenOS] How to enable the Optimized feature of VPN Monitor and what does it do


For more information on the affects of the rekey option, refer to the following articles:
Modification History:
2021-02-07: Added relevant KB links related to VPN monitoring.
2019-05-22: Content reviewed for accuracy.  no changes.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search