Knowledge Search


[ScreenOS] What is the Rekey option under VPN Monitor?

  [KB6121] Show Article Properties

Rekey keeps the VPN SA active, even if there is no other VPN traffic; except for the ICMP echo requests (pings) that are sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 SA is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.
What is the Rekey option under VPN Monitor?

Problem environment:

  • VPNs > AutoKey IKE Advanced Page

  • Rekey checkbox in VPN Monitor section

The Rekey option under VPN Monitor is another method for the Juniper firewall to perform re-keys, when it detects that the tunnel is down. When the VPN Monitor determines that the tunnel is down, the VPN Monitor will initiate a rekey.  This is similar to the IKE heartbeat rekey; with the exception that it uses the VPN Monitor mechanism.

The Rekey option cannot be used alone; it has to be used with VPN monitor.

It works in the following way:

If you enable the rekey option, along with the VPN monitor, without optimization, the security device starts to immediately send ICMP echo, whenthe tunnel configuration is complete and continues to send them indefinitely. The echo requests trigger an attempt to initiate IKE negotiations to establish a VPN tunnel, until the state of VPN monitoring for the tunnel is up. The security device then uses the pings for VPN monitoring purposes. If the state of VPN monitoring for the tunnel changes from up to down, the security device de-activates its Phase 2 security association (SA) for that peer.

If you do not enable Rekey with the VPN monitor, then the VPN will no longer send echo requests,when the VPN tunnel is marked as down by the VPN monitor. But, when the Rekey option is enabled, the security device continues to send echo requests to its peer at defined intervals; which triggers attempts to reinitiate IKE Phase 2 negotiations and Phase 1 negotiations, if necessary, until it succeeds.

At that point, the security device re-activates Phase 2 SA, generates a new key, and re-establishes the tunnel. A message is generated in the event log, which states that a successful rekey operation has occurred.

You can use the rekey option to ensure that an AutoKey IKE tunnel is always up, perhaps to monitor devices at the remote site or allow dynamic routing protocols to learn routes at a remote site and transmit messages via the tunnel. Another use, to which you can apply VPN monitoring with the rekey option, is for automatic population of the next-hop tunnel binding table (NHTB table) and the route table, when multiple VPN tunnels are bound to a single tunnel interface. This is applicable to VPN with Juniper Peers only, as for other 3rd party peers, you need to manually configure NHTB.

VPN Rekey can be enabled in the following ways:

Via the WebUI:

Go to VPNs > AutoKey IKE > Edit:

Via the CLI:
set vpn <VPN NAME/ PHASE2 NAME> monitor <optimized> rekey
For more information about the Optimized feature, refer to KB9522 - [ScreenOS] How to enable the Optimized feature of VPN Monitor and what does it do

For more information on the affects of the rekey option, refer to the following articles:

Related Links: