Change GET VPN Key Encryption Key Lifetime to 10800 seconds | CCIE Security Exam Solution

D.

The correct answer to change a GET VPN Key Encryption Key lifetime to 10800 seconds on the key server is option D: crypto gdoi group GET-Group identity number 1234 server local rekey lifetime seconds 10800. Here is an explanation of the different options:

A. crypto isakmp policy 1 lifetime 10800: This command changes the lifetime of the ISAKMP policy, which is used for negotiating security associations during Phase 1 of IPSec VPN negotiations. However, this command does not change the lifetime of the Key Encryption Key (KEK) used in GET VPN.

B. crypto ipsec security-association lifetime seconds 10800: This command changes the lifetime of the IPSec security association, which is used for securing the data transmitted between the GET VPN endpoints. However, this command does not change the lifetime of the KEK used in GET VPN.

C. crypto ipsec profile getvpn-profile set security-association lifetime seconds 10800 ! crypto gdoi group GET-Group identity number 1234 server local sa ipsec 1 profile getvpn-profile: This command changes the lifetime of the IPSec security association by configuring an IPSec profile with a new lifetime value. However, this command does not change the lifetime of the KEK used in GET VPN.

D. crypto gdoi group GET-Group identity number 1234 server local rekey lifetime seconds 10800: This command changes the lifetime of the KEK used in GET VPN by configuring a new rekey lifetime value. This is the correct option to change the KEK lifetime in GET VPN.

E. crypto gdoi group GET-Group identity number 1234 server local: This command does not change the lifetime of the KEK or any other configuration parameter in GET VPN. It only identifies the local group member as a GET VPN key server.

In summary, the correct command to change the GET VPN Key Encryption Key lifetime to 10800 seconds on the key server is crypto gdoi group GET-Group identity number 1234 server local rekey lifetime seconds 10800.