No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Setting the IKE SA Lifetime

(Optional) Setting the IKE SA Lifetime

Context

After the SA lifetime is set, SAs are updated in real time and difficult to decipher, enhancing security.

The IKE SA lifetime is classified as follows:
  • Hard lifetime (hard timeout period): specifies the lifetime of an IKE SA.

    When two devices negotiate an IKE SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

  • Soft lifetime (soft timeout period): refers to the time after which a new IKE SA is negotiated so that the new IKE SA will be ready before the hard lifetime of the original IKE SA expires.

    Table 5-11 lists the default soft lifetime values.
    Table 5-11  Soft lifetime values
    IKE Protocol Type Description
    IKEv1 7/10 of the actual hard SA lifetime
    IKEv2 7/10 of the actual hard SA lifetime

Before an IKE SA becomes invalid, IKE negotiates a new IKE SA for the remote end. The remote end uses the new IKE SA to protect IPSec communication immediately after the new IKE SA is negotiated. If service traffic is transmitted, the original IKE SA is deleted immediately. If no service traffic is transmitted, the original IKE SA will be deleted after 10s or the hard lifetime expires.

Changing the lifetime does not affect the established IKE SAs, and the changed value is used for establishing new IKE SAs in subsequent negotiation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ike proposal proposal-number

    The IKE proposal view is displayed.

  3. Run sa duration time-value

    The IKE SA hard lifetime is set.

    By default, the IKE SA lifetime is 86400s.

    If the hard lifetime ends, IKE SAs are updated automatically. IKE negotiation involves Diffie-Hellman key calculation, which takes a long period of time. To ensure that IKE SA update does not affect secure communication, you are advised to set the lifetime to a value greater than 600s.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 154235

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next