The sa duration command specifies the IKE SA hard lifetime for an IKE proposal.
The undo sa duration command restores the default IKE SA hard lifetime.
By default, the IKE SA hard lifetime is 86400 seconds.
| Parameter | Description | Value |
|---|---|---|
seconds |
Specifies the IKE SA hard lifetime. IKE SA is automatically updated after the hard lifetime expires. |
The value is an integer that ranges from 60 to 604800, in seconds. |
Usage Scenario
After the SA lifetime is set, SAs are updated in real time and difficult to decipher, enhancing security.
Hard lifetime (hard timeout period): specifies the lifetime of an IKE SA.
When two devices negotiate an IKE SA, the actual hard lifetime is the smaller of the two values configured on the two devices.
Soft lifetime (soft timeout period): refers to the time after which a new IKE SA is negotiated so that the new IKE SA will be ready before the hard lifetime of the original IKE SA expires.
Before an IKE SA becomes invalid, IKE negotiates a new IKE SA for the remote end. The remote end uses the new IKE SA to protect IPSec communication immediately after the new IKE SA is negotiated. If service traffic is transmitted, the original IKE SA is deleted immediately. If no service traffic is transmitted, the original IKE SA will be deleted after 10s or the hard lifetime expires.
Precautions
IKE negotiation requires DH calculation, which takes a long time. Therefore, you are advised to set the IKE SA hard lifetime to a value longer than 10 minutes to make sure that the update of IKE SAs does not affect secure communication.
During IKEv1 negotiation, the responder cannot initiate IKE SA renegotiation after the IKE SA soft lifetime expires.
During IKEv2 negotiation, the responder runs the ike negotiate compatible command in the IKE peer view. After the IKE SA soft lifetime expires, the responder cannot initiate IKE SA renegotiation.