Configuring the IPSec SA Lifetime


Just like the IKE tunnel, the IPSec tunnel is valid for a particular time period called a lifetime . You can configure the IPSec lifetime for a specific period of time in seconds, but you can also configure the number of kilobytes (KB) for which the tunnel remains up. The command syntax to configure the IPSec SA lifetime is

 
 crypto ipsec security-association lifetime {seconds  seconds  kilobytes  kilobytes  } 

The default IPSec SA lifetime is 3,600 sec (one hour ) and 4,608,000KB (10 Mbps). When it reaches either of those maximum values, the IPSec tunnel expires .

graphics/alert_icon.gif

Before the IPSec is torn down, a new tunnel is renegotiated and there is no interruption in the flow of data traffic.


If you want to change the default values to, for example, 1,800 sec and 2,304,000KB, the commands would be as shown in Figure 9.8

Figure 9.8. IPSec SA lifetime.

graphics/09fig08.gif



CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net