I'm seeing the following "Session disconnected" message on the the local PIX(7.0) VPN peer which has PFS (DH-Group 2) enabled.
Jun 20 15:36:52 192.168.1.1 Jun 20 2008 15:36:52 pix : %PIX-7-715077: Pitcher: received key delete msg, spi 0x85e0312a
Jun 20 15:36:52 192.168.1.1 Jun 20 2008 15:36:52 pix : %PIX-7-715077: Pitcher: received key delete msg, spi 0x60f647fd
Jun 20 15:36:52 192.168.1.1 Jun 20 2008 15:36:52 pix : %PIX-4-113019: Group = 126.96.36.199, Username = 188.8.131.52, IP = 184.108.40.206, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 2h:15m:37s, Bytes xmt: 67640, Bytes rcv: 536552, Reason: User Requested
From RFC 2409, I've found the following with regard to PFS.
"Perfect Forward Secrecy (PFS) of both keying material and identities is possible with this protocol. By specifying a Diffie-Hellman group, and passing public values in KE payloads, ISAKMP peers can establish PFS of keys-- the identities would be protected by SKEYID_e from the ISAKMP SA and would therefore not be protected by PFS. If PFS of both keying material and identities is desired, an ISAKMP peer MUST establish only one non-ISAKMP security association (e.g. IPsec Security Association) per ISAKMP SA. PFS for keys and identities is accomplished by deleting the ISAKMP SA (and optionally issuing a DELETE message) upon establishment of the single non-ISAKMP SA. In this way a phase one negotiation is uniquely tied to a single phase two negotiation, and the ISAKMP SA established during phase one negotiation is never used again."
With this explanation does it mean that when PFS is enabled, ISAKMP rekeying cannot be done without deleting the session leading to a service disruption?
If at all possible, is there a way to avoid this disruption while PFS being activated?
Thank you for your time taken to explain this behavior.