R0106-HP MSR Router Series Security Command Reference(V7)
342
Usage guidelines
This function applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time
command has been configured.
The IPsec SA idle timeout configured in IPsec policy view or IPsec policy template view takes precedence
over the global IPsec SA timeout configured by the ipsec sa idle-time command.
Examples
# Set the IPsec SA idle timeout to 600 seconds for the IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy map 100 isakmp
[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600
Related commands
• display ipsec sa
• ipsec sa idle-time
sa spi
Use sa spi to configure an SPI for IPsec SAs.
Use undo sa spi to remove the SPI.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies an SPI for inbound SAs.
outbound: Specifies an SPI for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.
Usage guidelines
This command applies to only manual IPsec policies and IPsec profiles.
You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction
are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is
unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must
use the same SPI as the remote inbound SA.