Configuring the IPsec session idle timeout
This feature is supported only in FIPS mode.
An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec session entry, which records the quintuplet (source IP address, destination IP address, protocol number, source port, and destination port) and the matched IPsec tunnel.
An IPsec session is automatically deleted after the idle timeout expires.
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If found, the data flows are processed according to the tunnel information; otherwise, they are processed according to the original IPsec process: search the policy group or policy at the interface, and then the matched tunnel.
The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec forwarding efficiency.
To set the IPsec session idle timeout:
Step | Command | Remark |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the IPsec session idle timeout. | ipsec session idle-time seconds | Optional. 300 seconds by default. |