No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Setting the SA Lifetime

(Optional) Setting the SA Lifetime

Context

NOTE:
  • The configured IPSec SA lifetime is only valid for the new IPSec SAs established in IKE negotiation mode.

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:
  • Time-based lifetime

    The period from when an SA is set up to when the SA is expired.

  • Traffic-based lifetime

    The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:
  • Hard lifetime: specifies the lifetime of an IPSec SA.

    When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

  • Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

    Table 5-8 lists the default soft lifetime values.
    Table 5-8  Soft lifetime values
    Soft Lifetime Type Description
    Time-based soft lifetime (soft timeout period)

    The value is 7/10 of the actual hard lifetime (hard timeout period).

    Traffic-based soft lifetime (soft timeout traffic)

    The value is 7/10 of the actual hard lifetime (hard timeout traffic).

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

You can set the global SA hard lifetime or set the SA hard lifetime in an IPSec profile. If the SA hard lifetime is not set in an IPSec profile, the global hard lifetime is used. If both the global SA hard lifetime and the SA hard lifetime in an IPSec profile are set, the SA hard lifetime in the IPSec profile takes effect.

Procedure

  • Set the global IPSec SA hard lifetime.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec sa global-duration { time-based interval | traffic-based size }

      The global IPSec SA hard lifetime is set.

      By default, the global time-based SA hard lifetime is 3600 seconds and the global traffic-based SA hard lifetime is 1843200 Kbytes.

  • Setting the IPSec SA hard lifetime in an IPSec profile.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec profile profile-name

      An IPSec profile is created and the IPSec profile view is displayed.

    3. Run sa duration { time-based interval | traffic-based size }

      The IPSec SA hard lifetime is set in the IPSec profile.

      By default, the IPSec SA hard lifetime is not set in an IPSec profile. The system uses the global IPSec SA hard lifetime.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143689

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next