HP Cisco MDS 9216 - Fabric Switch Configuration Manual page 888

Global Lifetime Values
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
• If you use IKEv1 to set up IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
If you use IKEv2 to set up IPsec SAs, the SAs on each end have their own set up of lifetime values
•
and thus the SAs on both sides expire independently.
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
passed.
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that
negotiation completes before the existing SA expires.
The new SA is negotiated when one of the following thresholds is reached (whichever comes first):
• 30 seconds before the lifetime expires or
Approximately 10% of the lifetime in bytes remain
•
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA
will be negotiated only when IPsec sees another packet that should be protected.
To configure global SA lifetimes using Fabric Manager, follow these steps:
Step 1 Choose Switches > Security and then select IPSEC in the Physical Attributes pane.
Step 2 You see the IP Sec configuration in the Information pane.
Step 3 Choose the Global tab.
Step 4 Double-click and edit the value in the Life Time(sec) column (see
Figure 44-34
Click Apply Changes to save your changes.
Step 5
Cisco MDS 9000 Family CLI Configuration Guide
44-38
IP Sec Configuration Global Tab
Chapter 44 Configuring IPsec Network Security
Figure 44-34).
OL-16184-01, Cisco MDS SAN-OS Release 3.x