Description | This article explains how to rekey phase-2 child SAs. |
Scope | FortiGate. |
Solution |
For the IPSEC tunnels on the FortiGate, the default Phase-1 lifetime is 86400 seconds. The Phase-2 rekey timer is generally half of the Phase-1.
The purpose of Phase-2 rekeying is to regenerate the new session keys for Phase-2 SAs; this provides more security to the associated Child SAs.
PFS permits the regeneration of session keys, which are used to generate new encryption keys for phase 2. When PFS is disabled, the IPsec SA keys are only derived from a key computed during IKE SA negotiation. Some implementations will require PFS to be enabled for the rekey feature. On FortiGate, it is recalculated based on Phase-2 timers/data bytes.
On the FortiGate, there are 3 methods to define the rekey timers for child SAs:
Note: As per the recommendation second option should be used.
The rekeying for an SA will show sa=2 value in the tunnel list output, it would also display the expiry timer for the SA:
proxyid=Spoke1_VPN1 proto=0 sa=2 ref=3 serial=1 adr
In the above output, the second option is used for phase-2 rekey (SA=2). The timer can be seen in the output: 'expire 34638 (configured value 43200)'.
This is important to configure as same on both ends of the VPN tunnel since it could create an issue if either end tries to rekey before the other end still uses the same session keys.
The phase-2 timer should be less than the phase-1 timer as per the recommendations, since it could bring the complete tunnel down (management tunnel as well) during the rekey. This could also result in IPSEC phase-2 flapping.
Related articles: Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity Technical Tip: IPsec VPN error 'ike Negotiate SA Error: ike ike [1470]' Technical Tip: Explanation of 'Unknown SPI' message in Event log Troubleshooting Tip: Azure VPN error: peer SA proposal not match local policy |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.