FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 397379

 

Description This article explains how to rekey phase-2 child SAs.
Scope FortiGate.
Solution

For the IPSEC tunnels on the FortiGate, the default Phase-1 lifetime is 86400 seconds. The Phase-2 rekey timer is generally half of the Phase-1.

 

The purpose of Phase-2 rekeying is to regenerate the new session keys for Phase-2 SAs; this provides more security to the associated Child SAs.

 

PFS permits the regeneration of session keys, which are used to generate new encryption keys for phase 2. When PFS is disabled, the IPsec SA keys are only derived from a key computed during IKE SA negotiation. Some implementations will require PFS to be enabled for the rekey feature. On FortiGate, it is recalculated based on Phase-2 timers/data bytes.

 

On the FortiGate, there are 3 methods to define the rekey timers for child SAs:

  • Seconds: The phase-2 rekeying is done based on the time defined in each phase-2 child SA.  If the timer is 3600 seconds, it will rekey the phase-2 Child SAs before this time is about to expires.
  • Kilobytes: For each phase-2 SA, rekeying is done as per the defined data limit in kilobytes.
  • Both: With this option, either of the conditions can be matched (in seconds or Kilobytes). The rekeying should be performed if any of the condition is met.

 

Screenshot 2025-06-20 162008.png

 

Note:

As per the recommendation second option should be used.

 

The rekeying for an SA will show sa=2 value in the tunnel list output, it would also display the expiry timer for the SA:

 

proxyid=Spoke1_VPN1 proto=0 sa=2 ref=3 serial=1 adr
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=34638/0B replaywin=2048
seqno=13c esn=0 replaywin_lastseq=0000013c qat=0 rekey=0 hash_search_len=1

 

In the above output, the second option is used for phase-2 rekey (SA=2). The timer can be seen in the output: 'expire 34638 (configured value 43200)'.

 

This is important to configure as same on both ends of the VPN tunnel since it could create an issue if either end tries to rekey before the other end still uses the same session keys.

 

The phase-2 timer should be less than the phase-1 timer as per the recommendations, since it could bring the complete tunnel down (management tunnel as well) during the rekey. This could also result in IPSEC phase-2 flapping.

 

Related articles

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Troubleshooting Tip: IPsec VPN tunnels

Technical Tip: IPsec VPN error 'ike Negotiate SA Error: ike ike [1470]' 

Technical Tip: Explanation of 'Unknown SPI' message in Event log 

Troubleshooting Tip: Azure VPN error: peer SA proposal not match local policy