ipsec sa global-duration
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Default level
2: System level
Parameters
seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800.
kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.
Description
Use the ipsec sa global-duration command to configure the global SA lifetime.
Use the undo ipsec sa global-duration command to restore the default.
By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.
You can configure both a time-based lifetime and a traffic-based lifetime. An SA expires when either lifetime expires.
The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.
If IPsec uses IKE automatic negotiation, when IPsec SAs reach the traffic-based lifetime, IPsec notifies IKE to re-perform phase 1 and phase 2 negotiations.
Related commands: sa duration.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view [Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240