Chapter 37
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but
will be used in the negotiation of subsequently established SAs. If you wish to use the new values
immediately, you can clear all or part of the SA database.
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
•
•
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
passed.
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that
negotiation completes before the existing SA expires.
The new SA is negotiated when one of the following thresholds is reached (whichever comes first):
•
•
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA
will be negotiated only when IPsec sees another packet that should be protected.
To configure global SA lifetimes, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto global domain ipsec
security-association lifetime seconds 86400
switch(config)# no crypto global domain ipsec
security-association lifetime seconds 86400
Step 3
switch(config)# crypto global domain ipsec
security-association lifetime gigabytes 4000
switch(config)# crypto global domain ipsec
security-association lifetime kilobytes 2560
switch(config)# crypto global domain ipsec
security-association lifetime megabytes 5000
switch(config)# no crypto global domain ipsec
security-association lifetime megabytes
OL-18084-01, Cisco MDS NX-OS Release 4.x
If you use IKEv1 to set up IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
If you use IKEv2 to set up IPsec SAs, the SAs on each end have their own lifetime values and thus
the SAs on both sides expire independently.
30 seconds before the lifetime expires or
Approximately 10% of the lifetime in bytes remain
Purpose
Enters configuration mode.
Configures the global timed lifetime for IPsec
SAs to time out after the specified number of
seconds have passed. The global lifetime ranges
from 120 to 86400 seconds.
Reverts to the factory default of 3,600 seconds.
Configures the global traffic-volume lifetime for
IPsec SAs to time out after the specified amount
of traffic (in gigabytes) has passed through the
FCIP link using the SA. The global lifetime
ranges from 1 to 4095 gigabytes.
Configures the global traffic-volume lifetime in
kilobytes. The global lifetime ranges from 2560
to 2147483647 kilobytes.
Configures the global traffic-volume lifetime in
megabytes. The global lifetime ranges from 3 to
4193280 megabytes.
Reverts to the factory default of 450 GB
regardless of what value is currently configured.
Cisco MDS 9000 Family CLI Configuration Guide
Global Lifetime Values
37-29