Refreshing phase 1 Security Associations

Refreshing a Security Association is the process of creating a new Security Association to replace an existing Security Association. The IKED automatically refreshes Security Associations when they are about to expire.

When an IKEv1 phase 1 Security Association is refreshed, the IKED performs the following actions:
  • It creates a new Security Association using a main mode or aggressive mode exchange.
  • It negotiates new keys and it reauthenticates the identity of the IKE peer.
When an IKEv2 phase 1 Security Association is refreshed, the IKED performs the following actions:
  • It creates a new Security Association by using a create child exchange process.
  • It negotiates new keys but does not reauthenticate the identity of the IKE peer.

You can use the ReauthInterval parameter on the KeyExchangeAction statement to cause the IKED to periodically reauthenticate an existing IKEv2 phase 1 Security Association. For more information about the KeyExchangeAction statement, see the KeyExchangeAction statement in z/OS Communications Server: IP Configuration Reference.

You can use the refresh option on the ipsec command to refresh an existing phase 1 Security Association. When you use the ipsec command to refresh an existing IKEv1 or IKEv2 phase 1 Security Association, new keys are negotiated and the identity of the IKE peer is reauthenticated. For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.

Parent topic: Dynamic key management - IKE and IPSec negotiations