Ensure Short Lifetimes for IPsec Associations
IPsec connections should expire in less than four hours to maintain security.
Plain language
Shortening the lifetime of an IPsec connection to under four hours is like changing the locks on your doors every few hours to keep potential burglars at bay. It ensures the data moving across the internet between your systems remains secure, reducing the risk of cyber attackers gaining access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityOfficial control statement
A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections.
Why it matters
If an IPsec security association lifetime exceeds four hours, a compromised key can be used longer, increasing the chance of traffic decryption or tampering.
Operational notes
Configure IPsec SA lifetimes to <14400 seconds (4 hours) on both peers, and regularly verify tunnel rekeying and expiry via device logs/config audits.
Implementation tips
- IT team: Regularly configure your IPsec settings to ensure that each connection has a lifetime of less than four hours. This means adjusting the settings on your routers and firewalls so that they automatically reset these secure connections before the time limit is reached.
- Security manager: Review IPsec policy settings to ensure compliance with this control. Work with network administrators to outline clear guidelines on how IPsec connections are managed and ensure these guidelines are actively followed.
- System administrator: Monitor IPsec connection logs to verify the connection lifetimes. Use network tools to set alerts if a connection exceeds the specified duration, then investigate and rectify the issue promptly.
- Procurement manager: Ensure that any new network equipment being purchased is capable of supporting short-lived IPsec security associations. Consult with the IT team to verify that equipment specifications meet this requirement.
- Training coordinator: Organise training sessions for network and IT staff on the importance and process of setting short IPsec lifetimes. Use scenarios and practical drills to illustrate how this control helps in preventing cyber threats.
Audit / evidence tips
-
Askthe IPsec configuration documentation: Request documents detailing the IPsec settings, including connection lifetime
Goodis documentation showing IPsec configurations with the lifetime settings clearly less than four hours
-
Asknetwork log files: Request recent network logs that include IPsec connection details
GoodLog files showing renewed connections within the four-hour window
-
AskIT team procedures: Request the standard operating procedures (SOPs) that the IT team follows for configuring and monitoring IPsec connections
Goodis SOP documents that enforce routine checks and adjustments to connection lifetimes
-
Asktraining records: Request records of staff training related to IPsec configurations
Goodincludes recent training sessions with evidence of participant understanding and policy compliance
-
Askprocurement policy documents: Request policies regarding the acquisition of network equipment
Goodshows policies mandating the purchase of equipment that can enforce short IPsec lifetimes
Cross-framework mappings
How ISM-0498 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0498 requires organisations to configure IPsec security association (SA) lifetimes to less than four hours to limit cryptographic exp... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.