R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101
89
Parameters
seconds: Time-based global SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Traffic-based global SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Description
Use ipsec sa global-duration to configure the global SA lifetime.
Use undo ipsec sa global-duration to restore the default.
By default, the time-based global SA lifetime is 3,600 seconds, and the traffic-based global SA lifetime
is 1843200 kilobytes.
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses.
If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by
the remote.
The SA lifetime applies to only IKE negotiated SAs; it is not effective for manually configured SAs.
Related commands: sa duration and display ipsec sa duration.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240
ipsec synchronization enable
Syntax
ipsec synchronization enable
undo ipsec synchronization enable
View
System view
Default level
2: System level
Parameters
None
Description
Use ipsec synchronization enable to enable IPsec stateful failover.
Use undo ipsec synchronization enable to disable IPsec stateful failover.
By default, IPsec stateful failover is enabled.
Disabling IPsec stateful failover will delete all active or standby IPsec SAs and IKE SA.
Examples
# Enable IPsec stateful failover.