No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
sa duration (IPSec policy view)

sa duration (IPSec policy view)

Function

The sa duration command sets the SA lifetime in an IPSec policy.

The undo sa duration command cancels the SA lifetime in an IPSec policy.

By default, the SA lifetime is not set in an IPSec policy. The system uses the global SA lifetime.

Format

sa duration {traffic-based size | time-based interval }

undo sa duration { traffic-based | time-based }

Parameters

Parameter

Description

Value

traffic-based size

Specifies the traffic-based SA lifetime.

The value can be 0 or an integer that ranges from 2560 to 4194303, in Kbytes.

time-based interval

Specifies the time-based SA lifetime.

The value is an integer that ranges from 100 to 604800, in seconds.

Views

IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the SA lifetime is set, SAs can be updated in real time, which makes it difficult to decipher SAs and enhances security.

The SA lifetime can be measured by time or by traffic. The time-based lifetime and traffic-based lifetime are described as follows:
  • The time-based lifetime indicates the period of time an SA can exist after being established.

  • The traffic-based lifetime indicates the maximum traffic volume that an SA can process.

When the SA lifetime expires, an SA becomes invalid. If the time-based lifetime and traffic-based lifetime are both set for an SA, the SA becomes invalid when either lifetime is reached. When the SA is about to expire, IPSec peers negotiate a new SA. When the new SA is established, the two IPSec peers immediately use the new one.

The SA lifetime can be configured globally, based on IPSec profiles, or based on IPSec policies. If the SA lifetime is not set in an IPSec policy or IPSec profile, the global lifetime is used.

Precautions

By default, the global time-based SA lifetime (ipsec sa global-duration) is 3600 seconds; the global traffic-based SA lifetime is 1843200 Kbytes.

The SA lifetime is valid for only the SAs established in IKE negotiation mode. Manually established SAs are always valid.

Example

# Set the SA lifetime of an IPSec policy to 7200 seconds (2 hours).

<Huawei> system-view
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime of an IPSec policy to 20480 Kbytes (20 Mbytes).

<Huawei> system-view
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
# Set the SA lifetime of an IPSec profile to 7200 seconds (2 hours).
<Huawei> system-view
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] sa duration time-based 7200
# Set the SA lifetime of an IPSec profile to 20480 Kbytes (20 Mbytes).
<Huawei> system-view
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] sa duration traffic-based 20480
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 53024

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next