R2511-HP MSR Router Series Security Command Reference(V5)
296
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of
negotiation time. However, the longer the lifetime, the higher the possibility that attacks collect enough
information and initiate attacks.
Two peers might have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.
The end with a shorter lifetime always initiates the rekeying request.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the IKEv2 SA lifetime to 1200 seconds.
[Sysname-ikev2-profile-profile1] lifetime 1200
Related commands
display ikev2 profile
match
Use match to configure an IKEv2 profile matching criterion.
Use undo match to delete an IKEv2 profile matching criterion.
Syntax
match { address local { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address } |
certificate access-control-policy string | identity remote { address { ipv4-address [ mask-length ] | ipv6
ipv6-address [ prefix-length ] } | email email-string | fqdn fqdn-name | key-id key-id } }
undo match { address local { ipv4-address | interface interface-type interface-number | ipv6
ipv6-address } | certificate access-control-policy string | identity remote { { address ipv4-address
[ mask-length ] | ipv6 ipv6-address [ prefix-length ] } | email email-string | fqdn fqdn-name | key-id
key-id } }
Default
No IKEv2 profile matching criterion is configured.
Views
IKEv2 profile view
Default command level
2: System level