(Optional) Setting the SA Lifetime

Context

The configured IPSec SA lifetime is only valid for the new IPSec SAs established in IKE negotiation mode.
When you set a traffic-based lifecycle, you are advised to refer to the total volume of IPSec traffic the device forwards in an hour.

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:

Time-based lifetime

The period from when an SA is set up to when the SA is expired.
Traffic-based lifetime

The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:

Hard lifetime: specifies the lifetime of an IPSec SA.

When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

Table 1 lists the default soft lifetime values.

**Table 1** Soft lifetime values
Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout period). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout period) plus or minus a random value.
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

You can set the global SA hard lifetime or set the SA hard lifetime in an IPSec profile. If the SA hard lifetime is not set in an IPSec profile, the global hard lifetime is used. If both the global SA hard lifetime and the SA hard lifetime in an IPSec profile are set, the SA hard lifetime in the IPSec profile takes effect.

Procedure

Set the global IPSec SA hard lifetime.
1. Run system-view
  The system view is displayed.
2. Run ipsec sa global-duration { time-based interval | traffic-based size }
  The global IPSec SA hard lifetime is set.
3. Run ipsec sa global-soft-duration { time-based buffer interval | traffic-based buffer size }
  The global soft timeout buffer time or traffic volume for an IPSec SA is set.
  
  By default, the global soft timeout buffer time or traffic volume is not configured for an IPSec SA.
  
  If the configured soft timeout buffer time subtracted from the hard timeout is larger than 10s, the system uses the soft timeout buffer time subtracted from the hard timeout as the software timeout. Otherwise, the default value is used. If the configured soft timeout buffer traffic subtracted from the hard timeout traffic is larger than 7200 Kbytes, the system uses the soft timeout buffer traffic subtracted from the hard timeout traffic as the software timeout. Otherwise, the default value is used.
Setting the IPSec SA hard lifetime in an IPSec profile.
1. Run system-view
  The system view is displayed.
2. Run ipsec profile profile-name
  An IPSec profile is created and the IPSec profile view is displayed.
3. Run sa duration { traffic-based kilobytes | time-based seconds }
  The IPSec SA hard lifetime is set in the IPSec profile.
  
  By default, the IPSec SA hard lifetime is not set in an IPSec profile. The system uses the global IPSec SA hard lifetime.