ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
Usage guidelines
You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view over the global IPsec SA lifetimes.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.
Examples
# Configure the global IPsec SA lifetime as 7200 seconds.
<Sysname> system-view [Sysname] ipsec sa global-duration time-based 7200
# Configure the global IPsec SA lifetime as 10240 kilobytes.
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
display ipsec sa
sa duration