sa duration (ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view)

Function

The sa duration command sets the hard lifetime of IPSec SAs in an IPSec policy or profile.

The undo sa duration command restores the default configuration.

By default, the hard lifetime of IPSec SAs is not configured in an IPSec policy or profile. The system uses the global hard lifetime of IPSec SAs.

Format

sa duration { traffic-based kilobytes | time-based seconds }

undo sa duration { traffic-based | time-based }

Parameters

Parameter	Description	Value
traffic-based kilobytes	Specifies the traffic-based SA hard lifetime. It is recommended that the traffic volume be equal to or larger than the size of IPSec traffic forwarded in 1 hour.	The value is 0 or an integer from 256 to 200000000, in Kbytes. IKEv1 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function. IKEv2 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, the local device disables the traffic timeout function. During IPSec negotiation between a Huawei device and a Cisco device using IKEv1: If the Huawei device functions as the initiator and the traffic hard lifetime is set to 0, the traffic hard lifetime value pushed by the Cisco device takes effect on the local end. If the Huawei device functions as the responder and the traffic hard lifetime is set to 0, the value 0 takes effect on the local end.
time-based seconds	Specifies the time-based SA hard lifetime. When a large number of IPSec tunnels are established between two devices, you are advised to set the IPSec SA hard lifetime to a value larger than or equivalent to 1800s.	The value is an integer that ranges from 30 to 604800, in seconds.

Parameter

Description

Value

traffic-based kilobytes

Specifies the traffic-based SA hard lifetime.

It is recommended that the traffic volume be equal to or larger than the size of IPSec traffic forwarded in 1 hour.

The value is 0 or an integer from 256 to 200000000, in Kbytes.

IKEv1 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function.
IKEv2 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, the local device disables the traffic timeout function.

During IPSec negotiation between a Huawei device and a Cisco device using IKEv1:

If the Huawei device functions as the initiator and the traffic hard lifetime is set to 0, the traffic hard lifetime value pushed by the Cisco device takes effect on the local end.
If the Huawei device functions as the responder and the traffic hard lifetime is set to 0, the value 0 takes effect on the local end.

time-based seconds

Specifies the time-based SA hard lifetime.

When a large number of IPSec tunnels are established between two devices, you are advised to set the IPSec SA hard lifetime to a value larger than or equivalent to 1800s.

The value is an integer that ranges from 30 to 604800, in seconds.

Views

ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:

Time-based lifetime

The period from when an SA is set up to when the SA is expired.
Traffic-based lifetime

The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:

Hard lifetime: specifies the lifetime of an IPSec SA.

When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

Table 1 lists the default soft lifetime values.

**Table 1** Soft lifetime values
Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout period). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout period) plus or minus a random value.
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

Precautions

The SA lifetime can be configured globally (ipsec sa global-duration) or based on an IPSec policy or profile. If no SA lifetime is configured for the IPSec policy or profile, the global lifetime is used. If both the global SA lifetime and lifetime based on the IPSec policy or profile are configured, the latter one takes effect.

You only need to specify the SA lifetime for the SA setup through the IKE negotiation. That is, it is invalid to the SA manually set up. The manually set up SA is effective permanently.

During IKEv1 negotiation:

The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation:

If the responder runs the ike negotiate compatible command in the IKE peer view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
If the responder runs the encapsulation-mode auto command in the IPSec proposal view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator or responder cannot initiate IPSec SA renegotiation when the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the IPSec SA hard lifetime in IPSec policy policy1 to 7200 seconds.

<sysname> system-view
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1] sa duration time-based 7200

# Set the IPSec SA hard lifetime in IPSec policy policy2 to 20000 KB.

<sysname> system-view
[sysname] ipsec policy policy2 1 isakmp
[sysname-ipsec-policy-isakmp-policy2-1] sa duration traffic-based 20000

# Set the IPSec SA hard lifetime in IPSec profile profile1 to 7200 seconds.

<sysname> system-view
[sysname] ipsec profile profile1
[sysname-ipsec-profile-profile1] sa duration time-based 7200

# Set the IPSec SA hard lifetime in IPSec profile profile1 to 20000 KB.

<sysname> system-view
[sysname] ipsec profile profile1
[sysname-ipsec-profile-profile1] sa duration traffic-based 20000