sa duration
Use sa duration to set an SA lifetime.
Use undo sa duration to remove an SA lifetime.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy, IPsec policy template, or IPsec profile is the current global SA lifetime.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
mdc-admin
Parameters
time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
Usage guidelines
IKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.
During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.
Examples
# Set the SA lifetime to 7200 seconds for IPsec policy policy1.
<Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime to 20 MB for IPsec policy policy1. The IPsec SA expires after transmitting 20480 kilobytes.
<Sysname> system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
Related commands
display ipsec sa
ipsec sa global-duration