Table of Contents
Advertisement
Example
# Enable the tunnel to detect the reachability of the remote route.
[3Com] ipsec sa dynamic-detect
4.1.30 ipsec sa global-duration
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Parameter
time-based seconds: Specify the time-based global living time. If the time reaches to
this value, the living time expires. seconds is in the range of 30 to 4294967295, in
second. By default, seconds is 3600 seconds.
traffic-based kilobytes: Specify the traffic-based global living time. If the traffic
reaches to this value, the living time expires. kilobytes is in the range of 256 to
4194303, in kilobyte. By default, it is 1843200 kilobytes.
Description
Using the ipsec sa global-duration command, you can configure a global crypto SA
lifetime. Using the undo ipsec sa global-duration command, you can restore the
default value of the lifetime of the global security association.
This command is applicable to the IPSec module of the operating system and crypto
card.
All SAs that have not been configured individually in IPSec policy view will adopt this
global lifetime.
When IKE negotiates to set up an SA for IPSec, the lesser of the lifetime set locally
and that proposed by the peer is selected.
There are two types of lifetime: time-based and traffic-based lifetimes. No matter
which expires first, the SA will get invalid. Before the SA is about to get invalid, IKE
will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing
one gets invalid.
Security
73
- Quick Links:
- Command Line Interface Commands
Hide quick links:
Advertisement
Chapters
Table of Contents
