3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

381

382

383

384

385

386

387

388

389

390

IPsec Configuration Commands 389

Parameter

time-based seconds: Time-based SA duration in second, ranging 30 to 604800

seconds. It is 3600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based SA duration in kilobyte, ranging 256 to

4194303 kilobytes. It is 1843200 kilobytes by default.

Description

Use the sa duration command to set a SA duration of the IPsec policy.

Use the undo sa duration command to cancel the SA duration, i.e., restore the

use of the global SA duration.

When IKE negotiates to establish a SA, if the adopted IPsec policy is not

configured with its own duration, the system will use the global SA duration to

negotiate with the peer. If the IPsec policy is configured with its own duration, the

system will use the duration of the IPsec policy to negotiate with the peer. When

IKE negotiates to set up an SA for IPsec, the shorter one of the lifetime set locally

and that proposed by the remote is selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in

kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA

is accounted according to the total traffic that can be processed by this SA, and

the SA is invalid when the set value is exceeded. No matter which one of the two

types expires first, the SA will get invalid. Before the SA is about to get invalid, IKE

will set up a new SA for IPsec negotiation. So, a new SA is ready before the

existing one gets invalid.

The SA duration does not function for an SA manually set up, that is, the SA

manually set up will never be invalidated.

Related command: ipsec sa global-duration, ipsec policy (system view), ipsec

policy (interface view), security acl, tunnel local, tunnel remote and proposal.

Example

# Set the Sa duration for the IPsec policy shenzhen 100 to 2 hours, that is, 7200

seconds.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200

# Set the Sa duration for the IPsec policy shenzhen 100 to 20M bytes, that is, the

SA is overtime when the traffic exceeds 20000 kilobytes.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based

20000

sa encryption-hex Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp