3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

158 CHAPTER 10: IPSEC CONFIGURATION

This section only discusses importing IKE peer for IPsec, but in practice other

parameters also need to be configured in IKE Peer view, including IKE negotiation

mode, ID type, NAT traversal, shared key, peer IP address, peer name etc. Refer to

the next chapter for such details.

5 Configuring SA duration (lifetime) (optional)

■ Configuring global SA lifetime

All the SAs that have not been configured separately with a lifetime in IPsec policy

view adopt the global lifetime. In the SA negotiation via IKE, the lifetime

configured at the local or at the peer will be adopted, whichever is smaller.

There are two types of lifetime: "time-based" lifetime and "traffic-based" lifetime.

The expiration of either type of lifetime will render an SA useless. Before it goes

invalid, IKE will negotiate to set up a new SA for IPsec. Thus, when the old SA

becomes fully invalid, a new one is available.

Perform the following configurations in system view.

Changing the configured global lifetime does not affect the IPsec policies that

have separate lifetimes or the SAs that have been set up. The changed global

lifetime will apply to the IKE negotiation initiated later.

Lifetime is not significant to manually established SAs but isakmp mode SAs. In

other words, a manually established SA will maintain permanently.

■ Configuring SA lifetime in IPsec policy view

You can configure a separate SA lifetime for an IPsec policy. If such a lifetime is not

available, the global SA lifetime will apply.

In the SA negotiation via IKE, the lifetime configured at the local or at the peer will

be adopted, whichever is smaller.

Perform the following configurations in IPsec policy view.

Tabl e 141 Reference an ACL in the IPsec policy

Operation Command

Reference an IKE peer in the IPsec policy ike peer peer-name

Remove the referenced IKE peer from the IPsec policy undo ike peer [peer-name ]

Tabl e 142 Configure a global SA lifetime

Operation Command

Configure a global SA lifetime

ipsec sa global-duration { traffic-based

kilobytes | time-based seconds }

Restore the default global SA lifetime

undo ipsec sa global-duration {

traffic-based | time-based }