Cisco MDS 9000 Series Configuration Manual page 216

Global Lifetime Values
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but will
be used in the negotiation of subsequently established SAs. If you wish to use the new values immediately,
you can clear all or part of the SA database.
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value as
the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the value
determined by the IKE version in use:
• If you use IKEv1 to set up IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
• If you use IKEv2 to set up IPsec SAs, the SAs on each end have their own set up of lifetime values and
thus the SAs on both sides expire independently.
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the specified
amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has passed.
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that negotiation
completes before the existing SA expires.
The new SA is negotiated when one of the following thresholds is reached (whichever comes first):
• 30 seconds before the lifetime expires or
• Approximately 10% of the lifetime in bytes remain
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA will
be negotiated only when IPsec sees another packet that should be protected.
To configure global SA lifetimes, follow these steps:
Procedure
Step 1 switch# configure terminal
switch(config)#
Enters configuration mode.
Step 2
switch(config)# crypto global domain ipsec security-association lifetime seconds 86400
Configures the global timed lifetime for IPsec SAs to time out after the specified number of seconds have
passed. The global lifetime ranges from 120 to 86400 seconds.
Step 3 switch(config)# no crypto global domain ipsec security-association lifetime seconds 86400
(Optional) Reverts to the factory default of 3,600 seconds.
Step 4
switch(config)# crypto global domain ipsec security-association lifetime gigabytes 4000
Configures the global traffic-volume lifetime for IPsec SAs to time out after the specified amount of traffic
(in gigabytes) has passed through the FCIP link using the SA. The global lifetime ranges from 1 to 4095
gigabytes.
Step 5
switch(config)# crypto global domain ipsec security-association lifetime kilobytes 2560
Configures the global traffic-volume lifetime in kilobytes. The global lifetime ranges from 2560 to 2147483647
kilobytes.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
198
Configuring IPSec Network Security