Configuration > Overlays & Security > Security > IPSec Key Rotation
Use this dialog box to schedule the rotation of auto-generated IPSec pre-shared keys.
Orchestrator distributes key material to all EdgeConnect appliances in the network. Immediately before the end of a key rotation interval, Orchestrator activates new ephemeral key material for all of the EdgeConnect appliances in the SD-WAN network. For key activation, all the appliances should be reachable to Orchestrator. However, there are two cases of unreachability:
Inactive appliances: When appliances are inactive, they exist in the Orchestrator, but do not have tunnels configured to any active appliances.
Temporary unreachability: Temporary unreachability issues occur in cases where an EdgeConnect appliance reboots or if there is a link or communication failure. In this case, Orchestrator will not activate the new key material until all active appliances are reachable and have received the new key material or if the maximum activation wait time has been exceeded. If the appliance is unreachable for a period longer than the key rotation interval, it will be treated as an inactive appliance.
Re-authorization: Inactive appliances that become active at a later point in time will be authorized to receive the current key material. Only then will they be able to download configurations and build tunnels.
The Schedule IPSec Key Rotation dialog box enables you to schedule your key rotation. The following tables provide details about the two sections in this dialog box.
SD-WAN IPSec UDP Key Material Rotation Section
|Enable Key Rotation||Select this check box to enable key rotation.|
|Persist Key Material||If enabled, key material is stored on each appliance, ensuring data plane tunnels are built quickly after an appliance reboot (no dependency on Orchestrator). If disabled, new key material from Orchestrator is required after any reboot (Orchestrator reachability is critical).|
|Max Activation Wait||Maximum time (in hours) Orchestrator must wait before activating the new key material. This wait time applies only when unreachable appliances exist in the network and at least one tunnel is UP from a reachable appliance to an unreachable appliance. This gives you time to fix connectivity issues. After the wait time expires, Orchestrator activates the new key material on all reachable appliances. Generally, it is recommended to set this wait time to half of the rotation period.|
|Rotation Period||Click the edit icon to set the rotation and the time you want the key material rotation to begin. Click Force Rotate to immediately start a new key material rotation.|
|Key Material Lifetime||Amount of time a key material lasts.|
CAUTION: The lifetime must be at least three times the amount of the set Rotation Period.
SD-WAN IPSec Pre-shared Key Rotation Section
|Enable||Select this check box to enable.|
|Period||Click the edit icon to set the time when you want the key rotation to begin.|