Method used to configure the life cycle of the IPSec security association on USG firewalls

14

You can configure the lifetime of the IPSec security association on USG firewalls as follows:
Configure the lifetime for the IPSec VPN security association (SA).
1. Configure the IKE SA hard lifetime.
Configure the IKE SA lifetime. You can modify the per-SA lifetime instead of global lifetime.
system-view //Enter the system view.
ike proposal proposal-number, //Enter the IKE security proposal view.
sa duration seconds, //Configure the IKE SA hard lifetime.

Pay attention to the following aspects when configuring the IKE SA lifetime:
a) If the hard lifetime is expired, the SA is automatically updated. The IKE negotiation needs to perform the DH calculation that consumes a long period of time. It is recommended that the lifetime be longer than 600s, to protect the security communication from being affected by the SA update.
b) Before the lifetime (soft lifetime) expires, the SA negotiates with another SA to replace the old SA. Before the new SA negotiation is complete, the old SA is used. After the new SA is established, the new SA immediately takes effect, and the old SA is automatically cleared upon lifetime expiration.
By default, the hard lifetime of the IKE SA is 86400s (1 day).
2. Configure the IKE SA soft lifetime.
system-view //Enter the system view.
ike peer peer-name //Enter the IKE Peer view.
sa soft-duration time-based buffer seconds //Configure the soft lifetime of the IKE SA.
This configuration is valid only to the IKEv1 protocol.
a) By default, the soft lifetime is 9/10 of the hard lifetime. That is, a new SA, used to replace the old SA, is negotiated at the 9/10 length of the SA lifetime.
b) After the soft lifetime is configured, if the difference between the hard lifetime and the soft lifetime is longer than 10s, the difference is used as the soft lifetime. Otherwise, the default value (9/10 of the hard lifetime) is used as the soft lifetime.

display ike proposal //View the hard lifetime of the IKE SA.
[USG] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
---
10 PRE_SHARED MD5 DES_CBC MODP_768 5000
default PRE_SHARED SHA1 AES_CBC MODP_1024 86400
display ike peer [ brief | name peer-name ] //View the soft lifetime of the IKE SA.
[USG] display ike peer name b
--
IKE peer: b
Exchange mode: main on phase 1
Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$
Local certificate file name:
Proposal: 10
Local ID type: IP
Peer IP address: 202.38.169.1
VPN instance:
Authentic IP address:
IP address pool:
Peer name:
Peer domain name:
VPN instance bound to the SA:
NAT traversal: enable
SA soft timeout buffer time: 22 seconds
OCSP check: disable
OCSP server URL:
Applied to 1 policy: ppp1-1-isakmp

Other related questions:
Configuration of the security association on the USG firewalls
Configuration of the security association on the USG firewalls Create an IPSec SA in IKE negotiation mode. 1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration procedure is as follows: [USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route. [USG_A] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure the IKE security proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure the IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface. [USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route. [USG_B] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure the IKE security proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure the IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

Configuring SSL VPN parameters for the USG
Configure SSL parameters. Configure the SSL version supported by the USG, encryption suite, session timeout duration, and life cycle. You can retain the default values. Procedure: system-view v-gateway v-gateway-name //Access the virtual gateway view. basic, //Access the basic virtual gateway view. ssl version { sslv30+tlsv10 | tlsv10 } //Configure the SSL version supported by the USG. By default, the USG supports SSL3.9 and TLS1.0. ssl ciphersuit { allciphersuit | custom { aes256-sha | non-aes256-sha } { des-cbc3-sha | non-des-cbc3-sha } { rc4-sha | non-rc4-sha } { rc4-md5 | non-rc4-md5 } { aes128-sha | non-aes128-sha } { des-cbc-sha | non-des-cbc-sha } } //Configure the SSL encryption suite. ssl timeout time //Configure the SSL session timeout duration. ssl lifecycle { time | no-time-limit } //Configure the SSL life cycle. ssl session-reuse enable //Enable the SSL session reuse function. Follow-up processing display ssl //View SSL configuration.

Time at which the USG9000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

USG firewall security association
USG firewall security association What is security association (SA)? The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection. The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements: Security Parameter Index (SPI) The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA. Destination IP address Security protocol number (AH or ESP) Creation mode The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows: Different key generation modes In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated. In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high. Different IPSec SA lifetime In manual mode, once an IPSec SA is created, it permanently exists. In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

Method used to view the security association information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: display ipsec sa //Display the security association configuration.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top