Step 2Configure Global IPSec Security Association Lifetimes

ID D f .3 router(config) #

crypto ipsec






1 kilobytes


RouterA (config)# crypto ipsec security - association lifetime 86400

RouterA (config)# crypto ipsec security - association lifetime 86400

• Configures global IPSec SA lifetime values used when negotiating IPSec security associations.

• IPSec SA lifetimes are negotiated during IKE Phase 2.

• Can optically configure interface-specific IPSec SA lifetimes in crypto maps.

• IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes.

© 2004 Cisco Systems, Inc. All rights reserved. bcran v2.1—5-5

The IPSec SA lifetime determines how long IPSec SAs remain valid before they are renegotiated. Cisco IOS software supports a global lifetime value that applies to all crypto maps. The global lifetime value can be overridden with a crypto map entry. You can change global IPSec SA lifetime values using the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of the command. The command syntax and parameter definitions are as follows:

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

crypto ipsec security-association lifetime Command



seconds seconds

Specifies the number of seconds a security association will live before expiring. The default is 3600 sec (one hour).

kilobytes kilobytes

Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given SA before that SA expires. The default is 4,608,000 KB.

Cisco recommends that you use the default lifetime values. Individual IPSec SA lifetimes can be configured using crypto maps, which are covered later in this lesson.

0 0

Post a comment