Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement General IPSec Configurations for IPSec Networks
SC-121
Cisco IOS XR System Security Configuration Guide
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
Lifetimes for IPSec Security Associations
Cisco IOS XR software currently allows the configuration of lifetimes for IPSec SAs. Lifetimes can be
configured globally or for each crypto profile. Two lifetimes exist: a “timed” lifetime and a
“traffic-volume” lifetime. A security association expires after the first of these lifetimes is reached.
IPSec Security Association Idle Timers
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the
global lifetime is independent of peer activity. The IPSec SA idle timer allows SAs associated with
inactive peers to be deleted before the global lifetime has expired.
If the IPSec SA idle timers are not configured, only the global lifetimes for IPSec SAs are applied. SAs
are maintained until the global timers expire, regardless of peer activity.
Note If the last IPSec SA to a given peer is deleted because of idle timer expiration, the Internet Key Exchange
(IKE) SA to that peer is also deleted.
Configuring the IPSec SA Idle Timer Globally
This task configures IPSec security association (SA) idle timers globally.
SUMMARY STEPS
1. configure
2. crypto ipsec security-association idle-time seconds
3. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1
configure
Example:
RP/0/0/CPU0:router# configure
Enters global configuration mode.
To Next Page
Loading...
