574CHAPTER 40: CONFIGURING IPSEC

defined by kilobytes. Hard timeout of SA means that the SA lives for the whole lifetime.

Perform the following configurations in system view.

Table 649 Configure Global SA LIfetime

Operation

Command

 

 

Set global SA “Time-based” lifetime

ipsec sa global-duration time-based

(applicable to IPSec software and crypto

seconds

card)

 

 

 

Restore the default value of the global SA

undo ipsec sa global-duration

(applicable to IPSec software and crypto

time-based

card) “Time-based” lifetime

 

 

 

Set global SA “Traffic-based” lifetime

ipsec sa global-duration

(applicable to IPSec software and crypto

traffic-based kilobytes

card)

 

 

 

Restore the default value of the global SA

undo ipsec sa global-duration

“Traffic-based” lifetime (applicable to

traffic-based

IPSec software and crypto card)

 

 

 

By default, time-basedlifetime is 3600 seconds (an hour),- and traffic-basedlifetime is 1843200 kilobytes.

Configure a separate SA lifetime

To be different from the global lifetime, SA should be configured with separate SA lifetime.

Perform the following configurations in ipsec policy view.

Table 650 Configure Separate SA LIfetime

Operation

Command

 

 

Set separate SA lifetime (applicable to

sa duration { time-based seconds

IPSec software and crypto card)

traffic-based kilobytes }}

 

 

Restore the default value of separate SA

undo sa duration { time-based seconds

lifetime (applicable to IPSec software and

traffic-based kilobytes }

crypto card)

 

 

 

By default, apply the global SA lifetime.

Enable the detection on the reach ability of router at the remote end of the tunnel

When there are primary and backup links between two routers, and both ends adopt IKE mode to create the SA dynamically, once the primary link goes into DOWN state, the communication switches to the backup link automatically. In this case, a new SA pair (including phase 1 SA and phase 2 SA) that correspond to the backup link are created, but the original SA pair on the primary link is not deleted in time. Once the phase 2 SA on the primary link times out and is released (phase 1 SA still exists), if the primary link is restored and the communication switches back to the primary link, the phase 1 SAs saved on the local router and the remote router may be inconsistent, so that the IPSec tunnel cannot be established. Enabling the monitoring function can ensure that the phase 1 SA can be released when the phase 2 SA us released, so that a new SA pair can be reestablished between the two routers when the primary link goes into UP state, then the IPSec tunneling can be created correctly.

Please perform the following configurations in system view.

Page 578
Image 578
3Com 10014299 Configure a separate SA lifetime, By default, apply the global SA lifetime, Configure Global SA LIfetime