Send documentation comments to mdsfeedback-doc@cisco.com.
29-17
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 29 IPsec and IKE
Modifying IKE and IPsec
IPsec Maintenance
Certain configuration changes will only take effect when negotiating subsequent security associations.
If you want the new settings to take immediate effect, you must clear the existing security associations
so that they will be re-established with the changed configuration. If the switch is actively processing
IPsec traffic, it is desirable to clear only the portion of the security association database that would be
affected by the configuration changes (that is, clear only the security associations established by a given
crypto map set). Clearing the full security association database should be reserved for large-scale
changes, or when the router is processing very little other IPsec traffic.
Global Lifetime Values
You can change the global lifetime values which are used when negotiating new IPsec SAs and override
configured global lifetime values for a specified crypto map entry.
You can configure two lifetimes: timed or traffic-volume. A SA expires after the first of these lifetimes
is reached. The default lifetimes are 3,600 seconds (one hour) and 4,500 MB.
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but
will be used in the negotiation of subsequently established SAs. If you wish to use the new values
immediately, you can clear all or part of the SA database.
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
•If you use IKE version 1 (IKEv1) to setup IPsec SAs, the SA lifetime values are chosen to be the
smaller of the two proposals. The same values are programmed on both the ends of the tunnel.
•If you use IKE version 2 (IKEv2) to setup IPsec SAs, SAs on each end has its own set up of lifetime
values and thus the SAs on both sides expire independently.
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
passed.
A new SA is negotiated before the lifetime threshold (when 10% of the configured value still remains)
of the existing SA is reached, to ensure that negotiation completes before the existing SA expires.
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA
will be negotiated only when IPsec sees another packet that should be protected.