Ensure Short Lifetimes for IPsec Associations
IPsec connections should expire in less than four hours to maintain security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityA security association lifetime of less than four hours (14400 seconds) is used for IPsec connections.
Source: ASD Information Security Manual (ISM)
Plain language
Shortening the lifetime of an IPsec connection to under four hours is like changing the locks on your doors every few hours to keep potential burglars at bay. It ensures the data moving across the internet between your systems remains secure, reducing the risk of cyber attackers gaining access to sensitive information.
Why it matters
If an IPsec security association lifetime exceeds four hours, a compromised key can be used longer, increasing the chance of traffic decryption or tampering.
Operational notes
Configure IPsec SA lifetimes to <14400 seconds (4 hours) on both peers, and regularly verify tunnel rekeying and expiry via device logs/config audits.
Implementation tips
- IT team: Regularly configure your IPsec settings to ensure that each connection has a lifetime of less than four hours. This means adjusting the settings on your routers and firewalls so that they automatically reset these secure connections before the time limit is reached.
- Security manager: Review IPsec policy settings to ensure compliance with this control. Work with network administrators to outline clear guidelines on how IPsec connections are managed and ensure these guidelines are actively followed.
- System administrator: Monitor IPsec connection logs to verify the connection lifetimes. Use network tools to set alerts if a connection exceeds the specified duration, then investigate and rectify the issue promptly.
- Procurement manager: Ensure that any new network equipment being purchased is capable of supporting short-lived IPsec security associations. Consult with the IT team to verify that equipment specifications meet this requirement.
- Training coordinator: Organise training sessions for network and IT staff on the importance and process of setting short IPsec lifetimes. Use scenarios and practical drills to illustrate how this control helps in preventing cyber threats.
Audit / evidence tips
-
Ask: the IPsec configuration documentation: Request documents detailing the IPsec settings, including connection lifetime
Good: is documentation showing IPsec configurations with the lifetime settings clearly less than four hours
-
Ask: network log files: Request recent network logs that include IPsec connection details
Good: Log files showing renewed connections within the four-hour window
-
Ask: IT team procedures: Request the standard operating procedures (SOPs) that the IT team follows for configuring and monitoring IPsec connections
Good: is SOP documents that enforce routine checks and adjustments to connection lifetimes
-
Ask: training records: Request records of staff training related to IPsec configurations
Good: includes recent training sessions with evidence of participant understanding and policy compliance
-
Ask: procurement policy documents: Request policies regarding the acquisition of network equipment
Good: shows policies mandating the purchase of equipment that can enforce short IPsec lifetimes
Cross-framework mappings
How ISM-0498 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.9 | ISM-0498 requires organisations to configure IPsec security association (SA) lifetimes to less than four hours to limit cryptographic exp... | |