3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

381

382

383

384

385

386

387

388

389

390

IPsec Configuration Commands 383

View

System view

Parameter

time-based seconds: Time-based global SA duration in second, ranging 30 to

604800 seconds. It is 3600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256

to 4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic

reaches this value, the duration expires.

Description

Use the ipsec sa global-duration command to set a global SA duration.

Use the undo ipsec sa global-duration command to restore to the default

setting of the global SA duration.

When IKE negotiates to establish a SA, if the adopted IPsec policy is not

configured with its own duration, the system will use the global SA duration

specified by this command to negotiate with the peer. If the IPsec policy is

configured with its own duration, the system will use the duration of the IPsec

policy to negotiate with the peer. When IKE negotiates to set up an SA for IPsec,

the smaller one of the lifetime set locally and that proposed by the remote is

selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in

kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA

is accounted according to the total traffic that can be processed by this SA,, and

the SA is invalid when the set value is exceeded. No matter which one of the two

types expires first, the SA will get invalid. Before the SA is about to get invalid, IKE

will set up a new SA for IPsec negotiation. So, a new SA is ready before the

existing one gets invalid.

Modifying the global SA duration will not affect a map that has individually set up

its own SA duration, or an SA already set up. But the modified global SA duration

will be used to set up a new SA in the future IKE negotiation.

The SA duration does not function for an SA manually set up, that is, the SA

manually set up will never be invalidated.

Related command: sa duration and display ipsec sa duration.

Example

# Set the global SA duration to 2 hours.

[SecBlade_VPN] ipsec sa global-duration time-based 7200

# Set the global SA duration to 10M bytes transmitted.

[SecBlade_VPN] ipsec sa global-duration traffic-based 10000

pfs Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }