1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.2.X IP SERVICES
  6. Configuration manual

Lifetime - Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

JunosE 11.2.x IP Services Configuration Guide
128
If PFS is enabled, the router mandates PFS during SA negotiation. The remote security
gateway must accept PFS to successfully negotiate the SA. However, if PFS is disabled,
PFS might still be negotiated if the remote security gateway requests PFS.
PFS supports three Diffie-Hellmann prime modulus groups:
Group 1—A 768-bit Diffie-Hellmann prime modulus group
Group 2—A 1024-bit Diffie-Hellmann prime modulus group
Group 5—A 1536-bit Diffie-Hellmann prime modulus group
SA negotiation favors the highest request. For example, if group 2 is requested locally,
the remote security gateway must support group 2 for the SA negotiation to be successful.
If group 1 is requested locally, either groups 1 or 2 can be accepted, depending on requests
from the remote security gateway.

Lifetime

You can set a lifetime for user SAs and IKE SAs. For information about setting the IKE SA
lifetime, see "Lifetime" on page 137.
For signaled IPSec interfaces, both the inbound and outbound SA must be assigned a
lifetime. The lifetime parameter controls the duration for which the SA is valid. When a
user SA is established, both a timer and a traffic volume counter are set. When either
counter reaches the limit specified by the SA lifetime, a new SA is negotiated and the
expired SA is deleted. The renegotiations refresh several SA parameters, including keys.
Note the following about how the lifetime parameters work:
To avoid delays in the data flow, a new user SA is actually renegotiated before the
expiration. If the SA expires in the middle of processing a packet, the router finishes
processing that packet.
The actual user SA lifetime may not equal the value configured in the router.
There are both global and tunnel-specific lifetime parameters. If there is no
tunnel-specific lifetime configured, the router uses the global lifetime. The global
lifetime parameters have the following default settings:
8 hours for the time-based lifetime
100 MB for the traffic-based lifetime
Lifetime parameters are valid only for user SAs established via IKE. Manually configured
user SAs ignore this parameter.
You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime.
To set the tunnel lifetime, use the tunnel lifetime command.
To set the global (default) lifetime, use the ipsec lifetime command.
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.2.X IP SERVICES

Related Content for Juniper JUNOSE 11.2.X IP SERVICES

This manual is also suitable for:

Junose 11.2.x

Table of Contents