548
Default
IPsec redundancy is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With IPsec redundancy enabled, the system synchronizes the following information from the active
device to the standby device at configurable intervals:
• Lower bound values of the IPsec anti-replay window for inbound packets.
• IPsec anti-replay sequence numbers for outbound packets.
The synchronization ensures uninterrupted IPsec traffic forwarding and anti-replay protection when
the active device fails.
To configure synchronization intervals, use the redundancy replay-interval command.
Examples
# Enable IPsec redundancy.
<Sysname> system-view
[Sysname] ipsec redundancy enable
Related commands
redundancy replay-interval
ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is
1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to
604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560
to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
To Next Page
Loading...
Need help?
General
