Ipsec Sa Global-Duration; Ipsec Session Idle-Time - HP 5120 SI series Command Reference Manual

ipsec sa global-duration

Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Default level
2: System level
Parameters
seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800.
kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.
Description
Use the ipsec sa global-duration command to configure the global SA lifetime.
Use the undo ipsec sa global-duration command to restore the default.
By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is
1843200 kilobytes.
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy that it uses. If the IPsec policy
is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by
the remote.
You can configure both a time-based lifetime and a traffic-based lifetime. An SA expires when either
lifetime expires.
The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.
If IPsec uses IKE automatic negotiation, when IPsec SAs reach the traffic-based lifetime, IPsec notifies IKE
to re-perform phase 1 and phase 2 negotiations.
Related commands: sa duration.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240

ipsec session idle-time

Syntax
ipsec session idle-time seconds
undo ipsec session idle-time
338