Step 3-2 Configure Global IPSec Security Association Lifetimes

Step 3-2 Configure Global IPSec Security Association Lifetimes

IPSec security associations that use the shared secret keys time out together, based on the SA lifetime configured. This section looks at configuring a global lifetime value to be used when a particular crypto map entry doesn’t have lifetime values configured. When a router receives a negotiation request from a peer, it uses the smaller of the lifetime value proposed by the peer or the locally configured global lifetime value for the new security associations.

Two lifetimes exist—a “timed” lifetime and a “traffic-volume” lifetime that can be configured. The SA and keys expire when the first of these lifetimes expires.

Any changes made to a global lifetime are only applied when the crypto map entry doesn’t have a lifetime value specified. The change isn’t applied immediately to existing security associations, but will be used in subsequent SA negotiations.

Use the global crypto ipsec security-association lifetime command to set the global lifetime. For a timed lifetime, use the seconds form of the command. The kilobytes form causes the security association to time out after the specified traffic limit (in kilobytes) has been protected. The lifetime values are ignored for manually established security associations installed using an ipsec-manual crypto map command entry. To reset a lifetime to the default value, use the no form of the command. The command syntax is as follows:

Rtr1(config)#crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
Rtr1(config)#no crypto ipsec security-association lifetime {seconds | kilobytes}

The default value for a timed lifetime is 3,600 seconds (one hour) with the range of acceptable values between 120 and 86,400 (one day) seconds. The default value for a traffic volume lifetime is 4,608,000 kilobytes (10 megabytes per second for one hour) with the range of acceptable values between 2,560 and 536,870,912 kilobytes. Using shorter lifetimes can make it harder for an intruder to mount a successful key recovery attack because the attacker has less data encrypted under the same key to work with. The downside is shorter lifetimes require more CPU processing time for establishing new security associations.

The following example shortens the timed lifetime to 1,800 seconds (30 minutes) and the traffic-volume lifetime to 2,300,000 kilobytes. The show crypto ipsec security-association-lifetime command confirms the result.

Rtr1(config)#crypto ipsec security-association lifetime seconds 1800
Rtr1(config)#crypto ipsec security-association lifetime kilobytes 2300000


Rtr1#show crypto ipsec security-association-lifetime
Security association lifetime: 2300000 kilobytes/1800 seconds
Rtr1#