Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 3000 Router Series
1141114211431144114511461147114811491150
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 5 IPSec Configuration Commands
3Com Corporation
5-20
5.1.15 ipsec sa global-duration
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Parameter
time-based seconds: Time-based global SA duration in second, ranging 30 to 604800
seconds. It is 3600 seconds (1 hour) by default.
traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256 to
4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this
value, the duration expires.
Description
Use the ipsec sa global-duration command to set a global SA duration.
Use the undo ipsec sa global-duration command to restore to the default setting of
the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration specified by this
command to negotiate with the peer. If the IPSec policy is configured with its own
duration, the system will use the duration of the IPSec policy to negotiate with the peer.
When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime set
locally and that proposed by the remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
Modifying the global SA duration will not affect a map that has individually set up its own
SA duration, or an SA already set up. But the modified global SA duration will be used to
set up a new SA in the future IKE negotiation.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
Related command: sa duration and display ipsec sa duration.