SR OS supports CHILD_SA rekeying for both IKEv1 and IKEv2. The following are the behaviors for the rekey:
IKEv1 or IKEv2 CHILD_SA rekey initiator
outbound
The system immediately switches to the new security association (SA) after a new SA is created.
inbound
The old SA is kept for three minutes after the new SA is created. Then, it is removed, and upon removal:
IKEv1
The system does not send a delete message upon removal.
IKEv2
The systems send a delete message upon removal.
IKEv1or IKEv2 CHILD_SA rekey responder
outbound
The system keeps using the old SA for 25 seconds after the new SA is created before switching to the new SA. If a delete message of the old SA is received before 25 seconds, the system removes the old SA and starts using new SA.
inbound
The old SA is kept for rest of its lifetime. However, if a delete message is received to close the corresponding outbound SA, then the system removes the corresponding inbound SA before its lifetime expires. The system sends a delete message when the old SA lifetime expires.
If the old SA lifetime expires before the 25 seconds or three minutes mentioned above, the old SA is removed upon expiration and the system sends a delete message.