(Optional) Setting the IKE SA Lifetime

Context

After the SA lifetime is set, SAs are updated in real time and difficult to decipher, enhancing security.

The IKE SA lifetime is classified as follows:

Hard lifetime (hard timeout period): specifies the lifetime of an IKE SA.

When two devices negotiate an IKE SA, the actual hard lifetime is the smaller of the two values configured on the two devices.
Soft lifetime (soft timeout period): refers to the time after which a new IKE SA is negotiated so that the new IKE SA will be ready before the hard lifetime of the original IKE SA expires.

Table 1 lists the default soft lifetime values.
Table 1 Soft lifetime values
IKE Protocol Type

Description

IKEv1

90% of the actual hard SA lifetime

IKEv2

85% of the actual hard SA lifetime plus or minus a random value

**Table 1** Soft lifetime values
IKE Protocol Type	Description
IKEv1	90% of the actual hard SA lifetime
IKEv2	85% of the actual hard SA lifetime plus or minus a random value

Before an IKE SA becomes invalid, IKE negotiates a new IKE SA for the remote end. The remote end uses the new IKE SA to protect IPSec communication immediately after the new IKE SA is negotiated. If service traffic is transmitted, the original IKE SA is deleted immediately. If no service traffic is transmitted, the original IKE SA will be deleted after 10s or the hard lifetime expires.

Changing the lifetime does not affect the established IKE SAs, and the changed value is used for establishing new IKE SAs in subsequent negotiation.

Procedure

Configure the IKE SA hard lifetime.
1. Run system-view
  The system view is displayed.
2. Run ike proposal proposal-number
  The IKE proposal view is displayed.
3. Run sa duration time-value
  The IKE SA hard lifetime is set.
  
  By default, the IKE SA hard lifetime is 86400s.
  
  If the hard lifetime ends, IKE SAs are updated automatically. IKE negotiation involves Diffie-Hellman key calculation, which takes a long period of time. To ensure that IKE SA update does not affect secure communication, you are advised to set the hard lifetime to a value greater than 600s.
Configure the IKE SA soft lifetime.
1. Run system-view
  The system view is displayed.
2. Run ike peer peer-name
  The IKE peer view is displayed.
3. Run sa soft-duration time-based buffer time-value
  The soft timeout buffer time is set.
  
  By default, the soft timeout buffer time is not configured for an IKE SA.
  
  When the difference between the hard SA lifetime and configured soft SA lifetime is larger than 10s, the difference is used as the soft lifetime. Otherwise, the default value is used.