(Optional) Setting the IPSec SA Lifetime

Context

The IPSec SA lifetime is only valid for the IPSec SAs established in IKE negotiation mode. Manually established IPSec SAs are always valid.
The configured IPSec SA lifetime is only valid for the new IPSec SAs established in IKE negotiation mode.
When you set a traffic-based lifecycle, you are advised to refer to the total volume of IPSec traffic the device forwards in an hour.

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:

Time-based lifetime

The period from when an SA is set up to when the SA is expired.
Traffic-based lifetime

The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:

Hard lifetime: specifies the lifetime of an IPSec SA.

When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

Table 1 lists the default soft lifetime values.

**Table 1** Soft lifetime values
Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout period). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout period) plus or minus a random value.
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

You can set the global IPSec SA lifetime or set the IPSec SA lifetime in an IPSec policy. If the IPSec SA lifetime is not set in an IPSec policy, the global lifetime is used. If both the global IPSec SA lifetime or the IPSec SA lifetime in an IPSec policy are set, the IPSec SA lifetime in the IPSec policy takes effect.

Procedure

Set the global IPSec SA hard lifetime.
1. Run system-view
  The system view is displayed.
2. Run ipsec sa global-duration { time-based interval | traffic-based size }
  The global IPSec SA hard lifetime is set.
3. Run ipsec sa global-soft-duration { time-based buffer interval | traffic-based buffer size }
  The global soft timeout buffer time or traffic volume for an IPSec SA is set.
  
  By default, the global soft timeout buffer time or traffic volume is not configured for an IPSec SA.
  
  If the configured soft timeout buffer time subtracted from the hard timeout is larger than 10s, the system uses the soft timeout buffer time subtracted from the hard timeout as the software timeout. Otherwise, the default value is used. If the configured soft timeout buffer traffic subtracted from the hard timeout traffic is larger than 7200 Kbytes, the system uses the soft timeout buffer traffic subtracted from the hard timeout traffic as the software timeout. Otherwise, the default value is used.
Set the IPSec SA hard lifetime in an IPSec policy.
1. Run system-view
  The system view is displayed.
2. Configure an IPSec policy in IPSec ISAKMP mode or using an IPSec policy template.
  - Run ipsec policy policy-name seq-number isakmp
    
    An IPSec policy in IPSec ISAKMP mode is created and the IPSec policy view is displayed.
  - Run ipsec policy-template template-name seq-number
    
    An IPSec policy template is created and the IPSec policy template view is displayed.
3. Run sa duration { time-based seconds | traffic-based kilobytes }
  The IPSec SA hard lifetime is set in the IPSec policy.
  
  By default, the IPSec SA hard lifetime is not set in an IPSec policy. The system uses the global IPSec SA hard lifetime.
4. Run sa soft-duration { time-based buffer interval | traffic-based buffer kilobytes }
  The soft timeout buffer time or traffic of an IPSec SA is configured in the IPSec policy.
  
  By default, the soft timeout buffer time or traffic volume is not configured for an IPSec SA in an IPSec policy.
  
  If the configured soft timeout buffer time subtracted from the hard timeout is larger than 10s, the system uses the soft timeout buffer time subtracted from the hard timeout as the software timeout. Otherwise, the default value is used. If the configured soft timeout buffer traffic subtracted from the hard timeout traffic is larger than 7200 Kbytes, the system uses the soft timeout buffer traffic subtracted from the hard timeout traffic as the software timeout. Otherwise, the default value is used.
  
  This function can be only configured in the IPSec ISAKMP IPSec policy view.
5. (Optional) Run sa keep-holding-to hard-duration
  The device is configured to delete the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation.
  
  By default, during IPSec SA re-negotiation, the device deletes the original IPSec SA immediately after using the new IPSec SA to transmit data.
  
  After a new IPSec SA is negotiated, if the peer device still uses the original IPSec SA to transmit data while the local device deletes the original IPSec SA immediately after using the new IPSec SA to transmit data, the IPSec SAs on the two devices will be different. This will cause IPSec traffic interruption. In this case, it is recommended to perform this step on the local device.
  
  This function takes effect only for IPSec SAs established through IKEv1 negotiation.