sa duration
Function
The sa duration command sets an SA duration.
The undo sa duration command restores the default setting.
By default, the traffic-based SA duration is 20000000 KB and the time-based one is 3600 seconds.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| time-based salifetimesec |
Indicates the time-based SA duration. |
The value is an integer ranging from 480 to 604800, in seconds. |
| traffic-based salifetimekb |
Indicates the traffic-based SA duration. |
The value is an integer ranging from 8000 to 200000000, in kilobytes. |
| disable |
Disables the traffic-based SA duration. After the traffic-based SA duration is disabled, only the time-based SA duration takes effect. |
- |
Usage Guidelines
If the adopted ipsec security policy has been configured, the system uses the duration of security policy to negotiate with the remote else it define a global duration using this command it negotiate with the remote.
There are two methods to measure the duration:- Time-based duration: Indicates the period that starts from setup of the SA to expiration of the SA.
- Traffic-based duration: Indicates the maximum of traffic volume that this SA is permitted to process. If the duration reaches the specified time or traffic volume, the SA loses effect. Before expiration of SA, IKE negotiates to establish a new SA for IPsec. Before the new SA is established, the old one continues functioning. After the new SA is well prepared, it is used immediately.
Example
<HUAWEI> system-view [~HUAWEI] ipsec policy-template policy2 1 [*HUAWEI-ipsec-policy-templet-policy2-1] sa duration traffic-based 20000
<HUAWEI> system-view [~HUAWEI] ipsec policy policy1 1 isakmp [*HUAWEI-ipsec-policy-isakmp-policy1-1] sa duration time-based 7200