security-association

Defines the IPSec SA‘s (created by this auto site-to-site VPN tunnel or remote VPN client) settings

Supported on the following devices:

Access Points: AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

security-association [inactivity-timeout|level|lifetime]

security-association [inactivity-timeout <120-86400>|level perhost]

security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Parameters

security-association [inactivity-timeout <120-86400>|level perhost]


inactivity-timeout <120-86400>	Specifies an inactivity period, in seconds, for this IPSec VPN SA. Once the set value is exceeded, the association is timed out. <120-86400> – Specify a value from 120 - 86400 seconds. The default is 900 seconds.
level perhost	Specifies the granularity level for this IPSec VPN SA perhost – Sets the IPSec VPN SA‘s granularity to the host level

security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]


lifetime [kilobytes <500-2147483646>\| seconds <120-86400>]	Defines the IPSec SA‘s lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association. kilobytes <500-2147483646> – Defines volume based key duration. Specify a value from 500 - 2147483646 kilobytes. Select this option to define a connection volume lifetime (in kilobytes) for the duration of the IPSec VPN SA. Once the set volume is exceeded, the association is timed out. This option is disabled by default. seconds <120-86400> – Defines time based key duration. Specify the time frame from 120 - 86400 seconds. Select this option to define a lifetime (in seconds) for the duration of the IPSec VPN SA. Once the set value is exceeded, the association is timed out. This option is disabled by default.

Example

Site-to-site tunnel:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#security-association inactivity-timeout 200

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#security-association level perhost

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#security-association lifetime kilobytes 250000

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#show context
 crypto map test 1 ipsec-isakmp
  security-association level perhost
  peer 1 ikev2 ikev2Peer1
  local-endpoint-ip 192.168.13.10
  pfs 5
  security-association lifetime kilobytes 250000
  security-association inactivity-timeout 200
  ip nat crypto
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#

Remote VPN client:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#security-association lifetime seconds 10000

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#show context
 crypto map test 2 ipsec-isakmp dynamic
  peer 1 ikev1 RemoteIKEv1Peer1
  local-endpoint-ip 157.235.204.62
  pfs 14
  security-association lifetime seconds 10000
  remote-type none
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#