Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
will negotiate to set up a new SA for IPSec. Thus, when the old SA becomes fully invalid,
a new one is available.
Perform the following configurations in system view.
Table 7-16 Configure a global SA lifetime
Configure a global SA lifetime.
Restore the default global SA lifetime.
Changing the configured global lifetime does not affect the IPSec policies that have
separate lifetimes or the SAs that have been set up. The changed global lifetime will
apply to the IKE negotiation initiated later.
Lifetime is not significant to manually established SAs but isakmp mode SAs. In other
words, a manually established SA will maintain permanently.
b. Configuring SA lifetime in IPSec policy view
You can configure a separate SA lifetime for an IPSec policy. If such a lifetime is not
available, the global SA lifetime will apply.
In the SA negotiation via IKE, the lifetime configured at the local or at the peer will be
adopted, whichever is smaller.
Perform the following configurations in IPSec policy view.
Table 7-17 Configure an SA lifetime
Configure an SA lifetime for the IPSec
policy.
Adopt the configured global SA lifetime.
Changing the configured global lifetime does not affect the SAs that have been set up.
The changed global lifetime will apply to the IKE negotiation initiated later.
6)
Configuring the PFS feature in negotiation (optional)
Perfect Forward Secrecy (PFS) is a security feature. With it, keys are not derivative, so
the compromise of a key will not threaten the security of other keys. This feature is
implemented by adding the process of key exchange in the stage-2 negotiation of IKE.
Perform the following configuration in IPSec policy view.
Operation
Operation
3Com Corporation
7-20
Chapter 7 IPSec Configuration
Command
ipsec sa global-duration { traffic-based
kilobytes | time-based seconds }
undo
ipsec
sa
{ traffic-based | time-based }
Command
sa duration { traffic-based kilobytes |
time-based seconds }
undo sa duration { traffic-based |
time-based }
global-duration
Advertisement
Chapters
Table of Contents
Troubleshooting
