Lifetime

You can set a lifetime for user SAs and IKE SAs. For information about setting the IKE SA lifetime, see Lifetime .

For signaled IPSec interfaces, both the inbound and outbound SA must be assigned a lifetime. The lifetime parameter controls the duration for which the SA is valid. When a user SA is established, both a timer and a traffic volume counter are set. When either counter reaches the limit specified by the SA lifetime, a new SA is negotiated and the expired SA is deleted. The renegotiations refresh several SA parameters, including keys.

Note the following about how the lifetime parameters work:

• To avoid delays in the data flow, a new user SA is actually renegotiated before the expiration. If the SA expires in the middle of processing a packet, the router finishes processing that packet.
• The actual user SA lifetime may not equal the value configured in the router.
• There are both global and tunnel-specific lifetime parameters. If there is no tunnel-specific lifetime configured, the router uses the global lifetime. The global lifetime parameters have the following default settings:
  • 8 hours for the time-based lifetime
  • 100 MB for the traffic-based lifetime
• Lifetime parameters are valid only for user SAs established via IKE. Manually configured user SAs ignore this parameter.

You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime.

• To set the tunnel lifetime, use the tunnel lifetime command.
• To set the global (default) lifetime, use the ipsec lifetime command.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.