Configuring the Lifetime Association for a Policy
Caution
You may need to configure the initiator version even when the switch does not behave as an IKE initiator
under normal circumstances. Always using this option guarantees a faster recovery of traffic flows in case of
failures.
Tip
The keepalive time only applies to IKEv2 peers and not to all peers.
Note
When IPsec implementations in the host prefer to initiate the IPsec rekey, be sure to configure the IPsec
lifetime value in the Cisco MDS switch to be higher than the lifetime value in the host.
This section includes the following topics:
Configuring the Lifetime Association for a Policy
To configure the lifetime association for each policy, follow these steps:
Procedure
Step 1
switch# configure terminal
switch(config)#
Enters configuration mode.
Step 2
switch(config)# crypto ike domain ipsec
switch(config-ike-ipsec)#
Allows IPsec domains to be configured in this switch.
Step 3
switch(config-ike-ipsec)# policy 1
switch(config-ike-ipsec-policy)#
Specifies the policy to configure.
Step 4
switch(config-ike-ipsec-policy) lifetime seconds 6000
Configures a lifetime of 6,000 seconds.
Step 5
switch(config-ike-ipsec-policy)# no lifetime seconds 6000
(Optional) Deletes the configured lifetime value and defaults to 86,400 seconds.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
182
Configuring IPSec Network Security