R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

101

102

103

104

105

106

107

108

109

110

100

With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the

outbound SA must be identical.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

Related commands: ipsec policy (system view).

Examples

# Configure the authentication keys of the inbound and outbound SAs that use AH as

0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah

112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah

aabbccddeeff001100aabbccddeeff00

sa duration

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

seconds: Time-based SA lifetime in seconds, in the range of 180 to 604800.

kilobytes: Traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.

Description

Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.

Use undo sa duration to restore the default.

By default, the SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.

By default, the time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200

kilobytes.

When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that

it uses. If the IPsec policy or IPsec proposal is not configured with its own lifetime settings, IKE uses the

global SA lifetime settings, which are configured with the ipsec sa global-duration command.

When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those

proposed by the remote.

The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.

Related commands: ipsec sa global-duration, ipsec policy (system view) and ipsec profile (system view).

Examples

# Set the SA lifetime for IPsec policy1 to 7200 seconds (two hours).