Link Search Menu Expand Document

IPSec Pre-Shared Key Rotation

Configuration > Overlays & Security > Security > IPSec Key Rotation

Use this dialog box to schedule the rotation of auto-generated IPSec pre-shared keys.

Failure Handling and Orchestrator Reachability

Orchestrator distributes key material to all EdgeConnect appliances in the network. Immediately before the end of a key rotation interval, Orchestrator activates new ephemeral key material for all of the EdgeConnect appliances in the SD-WAN network. For key activation, all the appliances should be reachable to Orchestrator. However, there are two cases of unreachability:

  1. Inactive appliances: When appliances are inactive, they exist in the Orchestrator, but do not have tunnels configured to any active appliances.

  2. Temporary unreachability: Temporary unreachability issues occur in cases where an EdgeConnect appliance reboots or if there is a link or communication failure. In this case, Orchestrator will not activate the new key material until all active appliances are reachable and have received the new key material or if the maximum activation wait time has been exceeded. If the appliance is unreachable for a period longer than the key rotation interval, it will be treated as an inactive appliance.

Re-authorization: Inactive appliances that become active at a later point in time will be authorized to receive the current key material. Only then will they be able to download configurations and build tunnels.

Schedule IPSec Key Rotation Dialog Box

The Schedule IPSec Key Rotation dialog box enables you to schedule your key rotation. The following tables provide details about the two sections in this dialog box.

SD-WAN IPSec UDP Key Material Rotation Section

Field Description
Enable Key Rotation Select this check box to enable key rotation.
Persist Key Material If enabled, key material is stored on each appliance, ensuring data plane tunnels are built quickly after an appliance reboot (no dependency on Orchestrator). If disabled, new key material from Orchestrator is required after any reboot (Orchestrator reachability is critical).
Max Activation Wait Maximum time (in hours) Orchestrator must wait before activating the new key material. This wait time applies only when unreachable appliances exist in the network and at least one tunnel is UP from a reachable appliance to an unreachable appliance. This gives you time to fix connectivity issues. After the wait time expires, Orchestrator activates the new key material on all reachable appliances. Generally, it is recommended to set this wait time to half of the rotation period.
Rotation Period Click the edit icon to set the rotation and the time you want the key material rotation to begin. Click Force Rotate to immediately start a new key material rotation.
Key Material Lifetime Amount of time a key material lasts.

CAUTION: The lifetime must be at least three times the amount of the set Rotation Period.

SD-WAN IPSec Pre-shared Key Rotation Section

Field Description
Enable Select this check box to enable.
Period Click the edit icon to set the time when you want the key rotation to begin.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.