No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec sa global-duration

ipsec sa global-duration

Function

The ipsec sa global-duration command sets the global lifetime of SAs.

The undo ipsec sa global-duration command restores the default global SA lifetime.

By default, the global time-based SA lifetime is 3600 seconds; the global traffic-based SA lifetime is 1843200 Kbytes.

Format

ipsec sa global-duration { time-based interval | traffic-based size }

undo ipsec sa global-duration { time-based | traffic-based }

Parameters

Parameter

Description

Value

time-based interval

Specifies the time-based global SA lifetime.

When a large number of IPSec tunnels are established between two devices, you are advised to set the global IPSec SA lifetime to a value larger than or equivalent to 1800s.

The value is an integer that ranges from 100 to 604800, in seconds.

traffic-based size

Specifies the traffic-based global SA lifetime.

It is recommended that the value of size/bandwidth be larger than or equivalent to 3600s.

The value can be 0 or an integer that ranges from 2560 to 4194303, in Kbytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the SA lifetime is set, SAs can be updated in real time, which makes it difficult to decipher SAs and enhances security.

The SA lifetime can be measured by time or by traffic. The time-based lifetime and traffic-based lifetime are described as follows:
  • The time-based lifetime indicates the period of time an SA can exist after being established.

  • The traffic-based lifetime indicates the maximum traffic volume that an SA can process.

When the SA lifetime expires, an SA becomes invalid. If the time-based lifetime and traffic-based lifetime are both set for an SA, the SA becomes invalid when either lifetime is reached. When the SA is about to expire, IPSec peers negotiate a new SA. When the new SA is established, the two IPSec peers immediately use the new one.

Precautions

The lifetime is valid only for the SAs that are established through IKE negotiation. It is invalid for manually created SAs.

The SA lifetime can be configured globally, based on IPSec profiles, or based on IPSec policies. If the SA lifetime is not set in an IPSec policy or IPSec profile, the global lifetime is used.

Example

# Set the time-based global SA lifetime to 2 hours.

<Huawei> system-view
[Huawei] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA lifetime to 10 Megabytes.

<Huawei> system-view
[Huawei] ipsec sa global-duration traffic-based 10240
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35424

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next