561Predefined user rolesnetwork-adminParameterstime-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295kilobytes.Usage guidelinesIKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the globalSA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec policytemplate, or IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SAnegotiation.During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and theremote SA lifetime.Examples# Set the SA lifetime for the IPsec policy policy1 to 7200 seconds. system-view[Sysname] ipsec policy policy1 100 isakmp[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting20480 kilobytes. system-view[Sysname] ipsec policy policy1 100 isakmp[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480Related commandsdisplay ipsec saipsec sa global-durationsa hex-key authenticationUse sa hex-key authentication to configure a hexadecimal authentication key for manual IPsecSAs.Use undo sa hex-key authentication to remove the hexadecimal authentication key.Syntaxsa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } stringundo sa hex-key authentication { inbound | outbound } { ah | esp }DefaultNo hexadecimal authentication key is configured for manual IPsec SAs.ViewsIPsec policy viewIPsec profile viewPredefined user rolesnetwork-admin