sa duration

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

View

IPsec policy view

Default level

2: System level

Parameters

seconds: Time-based SA lifetime in seconds, in the range 180 to 604800.

kilobytes: Traffic-based SA lifetime in kilobytes, in the range 2560 to 4294967295.

Description

Use the sa duration command to set an SA lifetime for the IPsec policy.

Use the undo sa duration command to restore the default.

By default, the SA lifetime of an IPsec policy equals the current global SA lifetime.

By default, the time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy that it uses. If the IPsec policy or IPsec proposal is not configured with its own lifetime settings, IKE uses the global SA lifetime settings, which are configured with the ipsec sa global-duration command.

When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those proposed by the remote.

The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.

If IPsec uses IKE automatic negotiation, when IPsec SAs reach the traffic-based lifetime, the system notifies IKE to re-perform phase 1 and phase 2 negotiations.

Related commands: ipsec sa global-duration, ipsec policy (system view).

Examples

# Set the SA lifetime for IPsec policy1 to 7200 seconds (two hours).

<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).

<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480