ipsec sa global-soft-duration buffer

Function

The ipsec sa global-soft-duration buffer command sets the global soft timeout buffer time or traffic volume for an IPSec SA.

The undo ipsec sa global-soft-duration buffer command deletes the global soft timeout buffer time or traffic volume of an IPSec SA.

By default, the global soft timeout buffer time or traffic volume is not configured for an IPSec SA.

Format

ipsec sa global-soft-duration { time-based buffer seconds | traffic-based buffer kilobytes }

undo ipsec sa global-soft-duration { time-based | traffic-based } buffer

Parameters

Parameter	Description	Value
time-based buffer seconds	Specifies the global time-based soft timeout buffer for an IPSec SA.	The value is an integer that ranges from 10s to 36000s.
traffic-based buffer kilobytes	Specifies the global traffic-based soft timeout buffer.	The value is an integer that ranges from 7200 to 4187103 KB.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before the IPSec SA hard lifetime expires, a new IPSec SA is negotiated to replace the original IPSec SA. The time from the establishment of the original IPSec SA till the negotiation of the new IPSec SA is the soft lifetime.

Table 1 lists the default soft lifetime values.

**Table 1** Soft lifetime values
Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout period). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout period) plus or minus a random value.
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

An administrator can set the soft timeout buffer time or soft timeout buffer traffic to adjust the SA re-negotiation time. The soft timeout buffer time or soft timeout buffer traffic is set as follows:

If the configured soft timeout buffer time subtracted from the hard lifetime is larger than 10s, the system uses the soft timeout buffer time subtracted from the hard timeout as the soft lifetime. Otherwise, the default value is used.
If the configured soft timeout buffer traffic subtracted from the hard timeout traffic is larger than 7200 KB, the system uses the soft timeout buffer traffic subtracted from the hard timeout traffic as the software lifetime. Otherwise, the default value is used.

The soft timeout buffer time or traffic of an IPSec SA can be configured globally or in an IPSec policy. The soft timeout buffer time or traffic configured globally is valid for all IPSec policies, and the soft timeout buffer time or traffic configured in an IPSec policy is valid for only the IPSec policy.

Precautions

If the soft timeout buffer time or traffic of an IPSec SA is configured globally and in an IPSec policy, the soft timeout buffer time or traffic configured in the IPSec policy is valid.

During IKEv1 negotiation:

The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation:

If the responder runs the ike negotiate compatible command in the IKE peer view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
If the responder runs the encapsulation-mode auto command in the IPSec proposal view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator or responder cannot initiate IPSec SA renegotiation when the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the global soft timeout buffer time for the IPSec SA to 600s on the FW, which serves as one end of the IPSec VPN tunnel.

<sysname> system-view
[sysname] ipsec sa global-soft-duration time-based buffer 600

# Set the global soft timeout for the IPSec SA to 10000 KB on the FW that serves as one end of the IPSec VPN tunnel.

<sysname> system-view
[sysname] ipsec sa global-soft-duration traffic-based buffer 10000