[j-nsp] J/SRX-series IPsec - changing SA lifetimes

Dale Shaw dale.shaw+j-nsp at gmail.com
Wed Aug 24 08:24:45 EDT 2011


Hi all,

This is something I thought would be really easy to research but I've
come up empty. I got kinda bogged in a sea of RFCs, draft proposals
and JUNOS documentation.

We have about 110 WAN routers configured in a partial mesh of IPsec
tunnels. I want to modify the SA lifetime value in both the IKE (phase
1) and IPsec (phase 2) proposals.

I'll be automating the config push to make this happen - so it should
roll out fairly quickly - but what happens if, by chance, a SA needs
to be renegotiated *during* my change window, and peer "A" has the new
lifetime value and peer "B" has the old lifetime value?

I'm trying to understand the behaviour for both phases. We're running
JUNOS 10.0 (R3 and R4, if it matters).

I'm hoping for an answer along the lines of "the peers will negotiate
seamlessly and without tearing down SAs" :-)   If it's inconclusive, I
guess I'll lab it up.

Cheers,
Dale


More information about the juniper-nsp mailing list