Table of Contents
Advertisement
Implementing IPSec Network Security on Cisco IOS XR Software
This IPSec feature is supported only on the Cisco IPSec VPN SPA.
Note
Lifetimes for IPSec Security Associations
Cisco IOS XR software currently allows the configuration of lifetimes for IPSec SAs. Lifetimes can be
configured globally or for each crypto profile. Two lifetimes exist: a "timed" lifetime and a
"traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.
IPSec Security Association Idle Timers
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the
global lifetime is independent of peer activity. The IPSec SA idle timer allows SAs associated with
inactive peers to be deleted before the global lifetime has expired.
If the IPSec SA idle timers are not configured, only the global lifetimes for IPSec SAs are applied. SAs
are maintained until the global timers expire, regardless of peer activity.
If the last IPSec SA to a given peer is deleted because of idle timer expiration, the Internet Key Exchange
Note
(IKE) SA to that peer is also deleted.
Configuring the IPSec SA Idle Timer Globally
This task configures IPSec security association (SA) idle timers globally.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Command or Action
Step 1
configure
Example:
RP/0/0/CPU0:router# configure
configure
crypto ipsec security-association idle-time seconds
end
or
commit
How to Implement General IPSec Configurations for IPSec Networks
Purpose
Enters global configuration mode.
Cisco IOS XR System Security Configuration Guide
SC-121
Hide quick links:
Advertisement
Chapters
Table of Contents
