ipsec sa global-duration

Function

The ipsec sa global-duration command sets a global SA duration.

The undo ipsec sa global-duration command restores the default setting.

By default, the traffic-based SA duration is 20000000 KB and the time-based one is 3600 seconds.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec sa global-duration { traffic-based { kilobytes | disable } | time-based seconds }

undo ipsec sa global-duration traffic-based [ disable ]

undo ipsec sa global-duration time-based

Parameters

Parameter	Description	Value
traffic-based kilobytes	Indicates the traffic-based SA duration.	The value is an integer ranging from 8000 to 200000000, in kilobytes. Setting a value lower than the configured one is not recommended.
disable	Disables the traffic-based SA duration. After the traffic-based SA duration is disabled, only the time-based SA duration takes effect.	-
time-based seconds	Indicates the time-based SA duration.	The value is an integer ranging from 480 to 604800, in seconds. Retaining the default value is recommended. Using the minimum value is not recommended. If the traffic rate increases, using a larger value is recommended.

Parameter

Description

Value

traffic-based kilobytes

Indicates the traffic-based SA duration.

The value is an integer ranging from 8000 to 200000000, in kilobytes.

Setting a value lower than the configured one is not recommended.

disable

Disables the traffic-based SA duration. After the traffic-based SA duration is disabled, only the time-based SA duration takes effect.

time-based seconds

Indicates the time-based SA duration.

The value is an integer ranging from 480 to 604800, in seconds.

Retaining the default value is recommended. Using the minimum value is not recommended. If the traffic rate increases, using a larger value is recommended.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

Usage Scenario

When the SA is set up through the IKE negotiation, define a global duration using ipsec sa global-duration command to negotiate with the remote peer, only if the adopted security policy is not configured with its own duration. If the adopted security policy has been configured, the system uses the duration of security policy to negotiate with the remote.

There are two methods to measure the duration:

Time-based duration: Indicates the period that starts from setup of the SA to expiration of the SA.
Traffic-based duration: Indicates the maximum of traffic volume that this SA is permitted to process.
If the duration reaches the specified time or traffic volume, the SA loses effect. Before expiration of SA, IKE negotiates to establish a new SA for IPsec. Before the new SA is established, the old one continues functioning. After the new SA is well prepared, it is used immediately.

Precautions

The kilobytes parameter specified in the ipsec sa global-duration traffic-based kilobytes command cannot be the lower specification of current services.

Example

# Set the global SA duration to 20000 kilobytes.

<HUAWEI> system-view
[~HUAWEI] ipsec sa global-duration traffic-based 20000

# Set the global SA duration to 7200 seconds.

<HUAWEI> system-view
[~HUAWEI] ipsec sa global-duration time-based 7200