The long security association (SA) lifetime functionality extends the maximum lifetime of the key encryption key (KEK) and
traffic encryption key (TEK) from 24 hours to 30 days. From Cisco IOS XE Everest 16.6, for a KEK or TEK, a lifetime of 24
hours or longer is considered a long SA lifetime. This functionality also lets you configure key servers (KSs) to continue
to send periodic reminder rekeys to group members (GMs) that do not respond with an acknowledgment in the last scheduled rekey.
By using a long SA
lifetime in combination with periodic reminder rekeys, a KS can effectively
synchronize GMs if they miss a scheduled rekey before the keys roll over.
For a lifetime 24 hours or longer, the encryption algorithm must be Advanced Encryption Standard-cipher block chaining (AES-CBC)
or Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) with an AES key of 128 bits or stronger.
You can use the long
SA lifetime functionality along with the GETVPN Suite-B feature to use AES-GSM
and Galois Message Authentication Code-Advanced Encryption Standard (GMAC-AES)
as traffic encryption key (TEK) policy transforms in a group for packets
encapsulated with GCM-AES and GMAC-AES.
Long SA Lifetime
When migrating to the long SA lifetime functionality (greater than or equal to one day), the following rules apply:
When a long SA lifetime is configured on a crypto IPsec profile, GETVPN displays a warning message to not use the IPsec profile
for a non- Group Domain of Interpretation (GDOI) group.
If group members are registered to a key server with short SA lifetime and the key server changes the policy to long SA lifetime,
GETVPN checks the software version of all the GMs when the crypto gdoi ks rekey command is configured to initiate the policy change. If the GMs registered with the KS do not support long SA lifetime, a
message is displayed to discourage the policy change until all GMs are upgraded.
When the Long SA feature is enabled in KS, it will block
registration from GMs running older Cisco IOS releases, which does not support
When the lifetime of KEK or TEK is a long SA lifetime set to 24 hours (86400 seconds) or longer, the rekey lifetime is set
to half the KEK or TEK lifetime.