549
Usage guidelines
You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The
device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view
over the global IPsec SA lifetimes.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer,
whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which
takes over immediately after its creation.
Examples
# Configure the global IPsec SA lifetime as 7200 seconds.
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Configure the global IPsec SA lifetime as 10240 kilobytes.
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
display ipsec sa
sa duration
ipsec sa idle-time
Use ipsec sa idle-time to enable the global IPsec SA idle timeout feature and set the idle timeout. If
no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo ipsec sa idle-time to disable the global IPsec SA idle timeout feature.
Syntax
ipsec sa idle-time seconds
undo ipsec sa idle-time
Default
The global IPsec SA idle timeout feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This feature applies only to IPsec SAs negotiated by IKE.
The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec policy template view, or
IPsec profile view, which takes precedence over the global IPsec SA timeout.
Examples
# Enable the global IPsec SA idle timeout feature and set the IPsec SA idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec sa idle-time 600
To Next Page
Loading...
Need help?
General
