R2511-HP MSR Router Series Security Command Reference(V5)
215
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200
kilobytes.
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the time-based global SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range of 2560 to
4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses.
If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by
the remote.
You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it
has existed for the specified time period or has processed the specified volume of traffic.
The SA lifetime applies to only IKE negotiated SAs instead of manually configured SAs.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
sa duration
ipsec session idle-time
Use ipsec session idle-time to set the idle timeout for IPsec sessions.
Use undo ipsec session idle-time to restore the default.
Syntax
ipsec session idle-time seconds
undo ipsec session idle-time
Default
The IPsec session idle timeout is 300 seconds.