Configure IPsec SA Lifetimes

Just as the ISAKMP SA has a defined lifetime, so does the IPsec SA. A common weakness of any cryptography is that given a sufficient sample of the traffic and enough time, any encryption can be broken. The use of IKE and IPsec lifetimes forces the peers to rekey the connection, changing the parameters of the connection and preventing a potential hacker from gathering a sufficient sample of traffic:

Miami#configure terminal

Miami(config)#crypto ipsec security-association lifetime 1800 seconds

0 0

Post a comment