Specifications
Step 3—Configuring Encryption
Cisco 7100 Series VPN Configuration Guide
3-20
Setting Global Lifetimes for IPSec Security Associations
You can change the global lifetime values which are used when negotiating new IPSec SAs.
(These global lifetime values can be overridden for a particular crypto map entry). These
lifetimes only apply to security associations established using IKE. Manually established
security associations do not expire.
There are two lifetimes: a “timed” lifetime and a “traffic-volume” lifetime. An SA expires
after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour)
and 4,608,000 kilobytes (10 megabytes per second for one hour).
If you change a global lifetime, the new lifetime value will not be applied to currently
existing SAs, but will be used in the negotiation of subsequently established SAs. To use
the new values immediately, you can clear all or part of the SA database using the clear
crypto sa command.
IPSec SAs use one or more shared secret keys. These keys and their SAs time out together.
To change a global lifetime for IPSec SAs, enter one or more of the following commands
in global configuration mode:
Verifying Global Lifetimes for IPSec Security Associations
To verify the configuration:
• Enter the show crypto ipsec security-association-lifetime EXEC command to see
global security association lifetime values.
hq-sanjose# show crypto ipsec security-association-lifetime
Security association lifetime:4608000 kilobytes/3600 seconds
Command Purpose
hq-sanjose(config)# crypto ipsec
security-association lifetime seconds 3600
Change the global timed lifetime for IPSec SAs.
This example configures the SA to time out after
3600 seconds.
hq-sanjose(config)# crypto ipsec
security-association lifetime kilobytes 4608000
Change the global traffic-volume lifetime for IPSec
SAs. This example configures the SA to time out
after 4,608,000 kilobytes of traffic have passed
through the IPSec tunnel using the SA.