FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 211931
Description This article describes the behaviour of FortiOS when SA rekey happens for phase1 and phase2 on FortiGate
Scope FortiGate.

What is a Security Association (SA)?

The concept of a 'Security Association' (SA) is fundamental to IPsec. A Security Association (SA) is a set of security policies and crypto keys used to protect the IKE SA or the IPsec SA.


-The same IKE SA is used to protect incoming and outgoing traffic.

-Two distinct IPsec SA (one per direction) are used for incoming and outgoing traffic.

-SA includes the specific security protections, cryptographic algorithms, and secret keys to be applied, as well as the specific types of traffic to be protected.      


What is an SPI (Security Parameters Index)? 

The SPI is the identifier of an IPsec SA. It is a value that, together with the destination address and security protocol (ESP), uniquely
identifies a single SA. It is used for looking up the IPsec SA database during the decryption process.


What are SA keys for IKEv1 and IKEv2?

For IKEv1, IKE uses single SA and single keys for both directions.

For IKEv1, IPsec uses two SAs & two keys per direction

For IKEv2, IKE uses single SA & two keys per direction

For IKEv2, IPsec uses two SAs & two keys per direction


What is a SA (Security Association) rekey?

IKE and ESP(IPsec) Security Associations use secret keys that should be used only for a limited amount of time and to protect a limited
amount of data. This limits the lifetime of the entire Security
Association. 'Re-keying' is the process of negotiating a new SA prior to hitting the lifetime expiry of the existing SA.


How does FortiOS handle the rekey of ADVPN shortcut tunnels?


IKE SA (Phase1) rekey :

  • Spoke1 will create an IPSec VPN tunnel with Hub1
  • Spoke1 will also create an IPSec VPN shortcut tunnel with Spoke2.
  • When the IKEv1 rekey (Phase1) is initiated, both the devices will try to re-authenticate the IKEv1 tunnel independently from the existing SA. It is the only way to renew an IKEv1 SA (same for shortcut tunnels and parent tunnels when rekeying).
  • For the IKEv1 (phase1) rekey between spokes for the shortcut tunnel, the rekey will fail because the PSK between them is a temporary PSK and will not be saved. Thus, the rekey will fail and the IKE will negotiate the tunnel after receiving a shortcut offer from the hub when the traffic traverses the hub. So, few packets would always traverse the hub after the IKEv1 SA lifetime expires.
  • We will see the following events in the 'VPN Events' when the IKEv1 rekey fails, but these are normal events:


date=2021-06-27 time=13:35:59 id=6978575218893651968 itime="2021-06-27 13:36:00" euid=2 epid=2 dsteuid=2 dstepid=2 logver=700000066 logid=0101037124 type="event" subtype="vpn" level="error" action="negotiate" msg="IPsec phase 1 error" logdesc="IPsec phase 1 error" user="N/A" status="negotiate_error" remip= locip= remport=500 locport=500 outintf="port2" cookies="5107a9ab098aae35/0000000000000000" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="N/A" peer_notif="NOT-APPLICABLE" reason="peer SA proposal not match local policy" eventtime=1624826159949362758 tz="-0700" useralt="N/A" devid="FGVM0TTTTTTTTTTT" vd="root" dtime="2021-06-27 13:35:59" itime_t=1624826160 devname="Spoke1-SPLabs"


  • The shortcut tunnel will be rekeyed without any interruption when using IKEv2.
  • For rekey in IKEv2, the negotiation for the new IKE SA is done under the protection of the existing IKE SA, no authentication (PSK or Signature) is performed for the new IKE SA.
  • It is the default behaviour for FortiOS IKEv2 SA renewal: a CREATE_CHILD_SA exchange is used to negotiate the new IKEv2 SA.
  • IKEv1 SA cannot be renewed in this way, so it needs to re-establish the shortcut tunnel every time the SA lifetime expires.


IPsec SA (Phase2) rekey:

  • When Phase2 rekey happens in IKEv1 and IKEv2, the shortcut tunnel would not flush.