Default
IPsec redundancy is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With IPsec redundancy enabled, the system synchronizes the following information from the active
device to the standby device at configurable intervals:
•
Lower bound values of the IPsec anti-replay window for inbound packets.
•
IPsec anti-replay sequence numbers for outbound packets.
The synchronization ensures uninterrupted IPsec traffic forwarding and anti-replay protection when
the active device fails.
To configure synchronization intervals, use the redundancy replay-interval command.
Examples
# Enable IPsec redundancy.
<Sysname> system-view
[Sysname] ipsec redundancy enable
Related commands
redundancy replay-interval
ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is
1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to
604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560
to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
548