No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Lifetime of the IKE SA

Configuring the Lifetime of the IKE SA

By configuring the lifetime of an SA, you can prevent potential security risks if a key is used for a long period of time.

Procedure

  • Lifetime of the IKE SA

    For configuration details, see Configuring the IKE Proposal.

  • Lifetime of the IPsec SA (global SA lifetime)
    1. Run system-view

      The system view is displayed.

    2. (Optional) Run ipsec sa global-duration { traffic-based kilobytes | traffic-based disable | time-based seconds }

      The global SA lifetime is configured.

      Pay attention to the following aspects when configuring the global SA lifetime:

      • If the lifetime is not specified for a specific SA, the SA uses the global SA lifetime.

      • When the global SA lifetime is changed, the policies for which the lifetime is independently configured are not affected, and the established SAs are not affected. In subsequent IKE negotiations, the new global SA lifetime is used to establish new SAs.

    3. Run commit

      The configuration is committed.

  • Lifetime of the IPsec SA (per-SA lifetime)
    1. Run system-view

      The system view is displayed.

    2. Enter the IPsec policy view or IPsec policy template view based on actual requirements.

      • Run the ipsec policy policy-name sequence-number command to enter the IPsec policy view.
      • Run the ipsec policy-template template-name sequence-number command to enter the IPsec policy template view.

    3. (Optional) Run sa duration { traffic-based kilobytes | traffic-based disable | time-based seconds }

      The lifetime of the current IPsec SA is configured.

      Pay attention to the following aspects when configuring the lifetime of an IPsec SA:

      • If the IPsec SA is established through IKEv1 negotiation, the lifetime can be set to the smaller one between the lifetime configured on the local end and the lifetime suggested by the peer end. The lifetime configured on both ends is not required to be consistent.
      • When the IPsec SA is established through IKEv2 negotiation, the lifetime is not negotiated. Both ends of the tunnel can use the respective lifetime. The lifetime configured on both ends is not required to be consistent. When the lifetime on one end expires, this end proactively initiates the negotiation, and the peer end responds to the negotiation.
      • If the lifetime is changed, the established SAs are not affected. In subsequent IKE negotiations, the new SA lifetime is used to establish new SAs.

    4. Run commit

      The configuration is committed.

Follow-up Procedure

Run the display ipsec sa duration command to check the global IPsec SA lifetime.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25149

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next