sa duration

Use sa duration to set an SA lifetime.

Use undo sa duration to remove an SA lifetime.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec policy, IPsec policy template, or IPsec profile is the current global SA lifetime.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.

Usage guidelines

IKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.

During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.

Examples

# Set the SA lifetime to 7200 seconds for IPsec policy policy1.

<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime to 20 MB for IPsec policy policy1. The IPsec SA expires after transmitting 20480 kilobytes.

<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

Related commands

display ipsec sa

ipsec sa global-duration