Force a Branch Office VPN Tunnel Rekey
Gateway endpoints automatically generate and exchange new keys after a specified amount of time or traffic passes, as defined in the Force Key Expiration text boxes in the Phase 2 Proposals dialog box. If you want to immediately generate new keys instead of waiting for them to expire (particularly when you troubleshoot VPN tunnels), you can choose to rekey one or more IPSec Branch Office VPN (BOVPN) tunnels.
The Rekey Tunnel options do not apply to BOVPN over TLS tunnels.
- Select System Status > VPN Statistics.
- Click the gateway to see the tunnels for that gateway.
- To rekey a single tunnel, on the line for the VPN tunnel, click Rekey tunnel.
- To rekey all tunnels that use a gateway, on the gateway line click Rekey tunnels.
- To rekey all branch office VPN tunnels, click Rekey All Tunnels.
To rekey IPSec VPN tunnels, from Firebox System Manager:
- On the Front Panel tab, expand the Branch Office VPN Tunnels list for your Firebox.
- To rekey a single tunnel, right-click the tunnel, and select Rekey Selected BOVPN Tunnel.
- To rekey all tunnels that use a gateway, right-click the gateway, and select Rekey Selected BOVPN Tunnel.
- To rekey all tunnels, right-click any VPN gateway or tunnel, and select Rekey All VPN Tunnels.
To rekey IPSec VPN tunnels, from WatchGuard System Manager:
- Expand the Branch Office VPN Tunnels tree for your Firebox.
- To rekey a single tunnel, right-click the tunnel, and select Rekey IPSec Tunnels.
- To rekey all tunnels that use a gateway, right-click the gateway, and select Rekey IPSec Tunnels.
- To rekey all tunnels, right-click any VPN gateway or tunnel, and select Rekey All IPSec Tunnels.
When you rekey IPSec VPN tunnels from Firebox System Manager or WatchGuard System Manager, you must specify a user name and passphrase for a user account with Device Administrator privileges.