HP VPN Firewall Appliances VPN Command Reference
96
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format
(both in hexadecimal format or both in string format), and the keys must be specified in the same format
for both ends of the tunnel.
Examples
# Configure the authentication keys of the inbound and outbound SAs that use AH as
0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple
112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple
aabbccddeeff001100aabbccddeeff00
Related commands
ipsec policy (system view)
sa duration
Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.
Use undo sa duration to restore the default.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that
it uses. If the IPsec policy or IPsec transform set is not configured with its own lifetime settings, IKE uses the
global SA lifetime settings, which are configured with the ipsec sa global-duration command.
When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those
proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs.
Related commands
• ipsec sa global-duration