R3303-HP HSR6800 Routers Security Command Reference
308
sa duration
Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.
Use undo sa duration to restore the default.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that
it uses. If the IPsec policy or IPsec transform set is not configured with its own lifetime settings, IKE uses the
global SA lifetime settings, which are configured with the ipsec sa global-duration command.
When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those
proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs. It is not effective on manually configured SAs.
Examples
# Set the SA lifetime for IPsec policy1 to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (two hours).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration time-based 7200
# Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec profile profile1