No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN AC V200R010C00 Command Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec sa global-duration

ipsec sa global-duration

Function

The ipsec sa global-duration command sets the global hard lifetime of IPSec SAs.

The undo ipsec sa global-duration command restores the default global hard lifetime of IPSec SAs.

By default, the global time-based SA hard lifetime is 3600 seconds and the global traffic-based SA hard lifetime is 1843200 Kbytes.

Format

ipsec sa global-duration { time-based interval | traffic-based size }

undo ipsec sa global-duration { time-based | traffic-based }

Parameters

Parameter Description Value
time-based interval Specifies the time-based global IPSec SA hard lifetime.

When a large number of IPSec tunnels are established between two devices, you are advised to set the global IPSec SA hard lifetime to a value larger than or equivalent to 1800s.

 It is an integer that ranges from 30 to 604800, in seconds.
traffic-based size Specifies the traffic-based global IPSec SA hard lifetime.

It is recommended that the traffic volume be equal to or larger than the size of IPSec traffic forwarded in 1 hour.

The value is 0 or an integer from 256 to 200000000, in Kbytes.

  • IKEv1 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function.
  • IKEv2 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, the local device disables the traffic timeout function.
During IPSec negotiation between a Huawei device and a Cisco device using IKEv1:
  • If the Huawei device functions as the initiator and the traffic hard lifetime is set to 0, the traffic hard lifetime value pushed by the Cisco device takes effect on the local end.
  • If the Huawei device functions as the responder and the traffic hard lifetime is set to 0, the value 0 takes effect on the local end.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:

  • Time-based lifetime

    The period from when an SA is set up to when the SA is expired.

  • Traffic-based lifetime

    The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:

  • Hard lifetime: specifies the lifetime of an IPSec SA.

    When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

  • Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

    Table 20-44 lists the default soft lifetime values.
    Table 20-44  Soft lifetime values
    Soft Lifetime Type Description
    Time-based soft lifetime (soft timeout period)

    The value is 70% of the actual hard lifetime (hard timeout period).
    Traffic-based soft lifetime (soft timeout traffic)
    • For IKEv1, the value is 70% of the actual hard lifetime (hard timeout traffic).
    • For IKEv2, the value is 65% to 75% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

Precautions

You only need to specify the SA lifetime for the SA setup through the IKE negotiation. That is, it is invalid to the SA manually set up. The manually set up SA is effective permanently.

The SA lifetime can be configured globally or based on an IPSec policy or profile. If no SA lifetime is configured for the IPSec policy or profile, the global lifetime is used. If both the global SA lifetime and lifetime based on the IPSec policy or profile are configured, the latter one takes effect.

During IKEv1 negotiation:
  • The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
  • The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation, the initiator or responder cannot initiate IPSec SA renegotiation if the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the time-based global SA hard lifetime to 7200s.

<AC6605> system-view
[AC6605] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA hard lifetime to 10 MB.

<AC6605> system-view
[AC6605] ipsec sa global-duration traffic-based 10240
Translation
简体中文
Download
Updated: 2021-02-27

Document ID: EDOC1100064351

Views: 3194062

Downloads: 595

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :