Configuring IPSec Security Association Lifetimes
To preclude any opportunity to gather sufficient network traffic using a single encryption key,
it is important to limit the key lifetime. This forces a key exchange, changing the encryption
scheme and greatly reducing the possibility of cracking the key. Technology continues to
advance, producing computers that can break code at faster rates. However, these systems
require a certain amount of traffic encrypted under a single key. The idea is to change
encryption keys before any system can feasibly crack your encryption. The PIX enables you
to configure your SA lifetimes, forcing a key exchange. It is possible to limit the SA lifetime
either by the amount of traffic passing through the connection or by how long the encrypted
connection remains open. The command for configuring SA lifetimes is as follows:
crypto ipsec security-association lifetime [kilobytes | seconds]
Example 13-3 shows the current configuration, including an SA lifetime of 15 minutes (900
seconds).