R2511-HP MSR Router Series Security Command Reference(V5)
229
Parameters
seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that
it uses. If the IPsec policy or IPsec transform set is not configured with its own lifetime settings, IKE uses the
global SA lifetime settings, which are configured with the ipsec sa global-duration command.
When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those
proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs instead of manually configured SAs.
Related commands
• ipsec sa global-duration
• ipsec policy (system view)
• ipsec profile (system view)
Examples
# Set the SA lifetime for IPsec policy1 to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration time-based 7200
# Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480
sa encryption-hex
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher | simple ] hex-key
undo sa encryption-hex { inbound | outbound } esp
Views
IPsec policy view