Example—Replacing IPsec Security Associations (IPsec and IKE Administration Guide)

IPsec and IKE Administration Guide

Previous: How to Generate Random Numbers
Next: How to Verify That Packets are Protected

Example—Replacing IPsec Security Associations

To prevent an adversary from having time to break your cryptosystem, you need to refresh your keying material. When you replace the SAs on one system, the SAs must also be replaced on the communicating system.

When replacing security associations, remove the old keys before you add new keys. Use the flush command in ipseckey command mode to remove the old keys. Then add the new keying information.

# ipseckey
> flush
> add esp spi …

Previous: How to Generate Random Numbers
Next: How to Verify That Packets are Protected