Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 5000 Router Series
2161216221632164216521662167216821692170
170ipsec sa global-duration 3Com Router 5000 Family and Router 6000 Family
Command Reference
ipsec sa global-duration
Purpose Use the ipsec sa global-duration command to set a global SA duration.
Use the undo ipsec sa global-duration command to restore to the default
setting of the global SA duration.
Syntax ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Parameters time-based seconds
Time-based global SA duration (in seconds). Valid
values are 30 to 604800.
If no value is specified, the default is 3600 seconds
(1hour).
traffic-based kilobytes
Traffic-based global SA duration (in kilobytes). Valid
values are 256 to 4194303.
If no value is specified, the default is 1843200. When
the traffic reaches this value, the duration expires.
Example Set the global SA duration to 2 hours.
[3Com] ipsec sa global-duration time-based 7200
Set the global SA duration to 10M bytes transmitted.
[3Com] ipsec sa global-duration traffic-based 10000
View This command can be used in the following views:
System view
Description When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration specified by this
command to negotiate with the peer. If the IPSec policy is configured with its own
duration, the system will use the duration of the IPSec policy to negotiate with the
peer. When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime
set locally and that proposed by the remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA, and the SA
is invalid when the set value is exceeded. No matter which one of the two types
expires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set
up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets
invalid.