Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 3000 Router Series
1151115211531154115511561157115811591160
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 5 IPSec Configuration Commands
3Com Corporation
5-27
Use the undo sa duration command to cancel the SA duration, i.e., restore the use of
the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration to negotiate with the
peer. If the IPSec policy is configured with its own duration, the system will use the
duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up
an SA for IPSec, the shorter one of the lifetime set locally and that proposed by the
remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
Related command: ipsec sa global-duration, ipsec policy(system view), ipsec
policy(interface view), security acl, tunnel local, tunnel remote and proposal.
Example
# Set the Sa duration for the ipsec policy shenzhen 100 to 2 hours, that is, 7200
seconds.
[3Com] ipsec policy shenzhen 100 isakmp
[3Com-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200
# Set the Sa duration for the ipsec policy shenzhen 100 to 20M bytes, that is, the SA is
overtime when the traffic exceeds 20000 kilobytes.
[3Com] ipsec policy shenzhen 100 isakmp
[3Com-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000
5.1.22 sa encryption-hex
Syntax
sa encryption-hex { inbound | outbound } esp hex-key
undo sa encryption-hex { inbound | outbound } esp
View
Manually-established IPSec policy view