R3303-HP HSR6800 Routers Security Command Reference
297
kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses.
If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by
the remote.
You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it
has existed for the specified time period or has processed the specified volume of traffic.
The SA lifetime applies to only IKE negotiated SAs. It is not effective on manually configured SAs.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
• sa duration
• display ipsec sa duration
ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform set exists.
Views
System view
Default command level
2: System level
Parameters
transform-set-name: Specifies the name of an IPsec transform set, a case-insensitive string of 1 to 32
characters.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1]