I have a 1.2.3-RELEASE box as a main firewall, and a few other sites connected via IPSec tunnels. Everything is working well for the most part, but I have a rather odd situation where one node can be best/only served by using DES in Phase 2. 3DES/SHA1/DH2 works fine for Phase 1.
My question is related to the 'lifetime' setting in Phase 2- the FAQ says that it's "the lifetime the negotiated keys will be valid for", but is this referring to while the line is being used, or just how long it can be idle and still valid? If I set that lifetime to be 1800 seconds(a half-hour), will the keys used to encrypt the tunnel change every half-hour, even if data is traversing that tunnel? And if the keys do regenerate in that fashion, is a short lifetime enough to reasonably compensate for the inherent modern weakness of DES?
The thought is that if some joe with a $20,000 computer that could crack DES in eight hours would be unable to break into such a tunnel due to the rotating keys. I'm not really expecting to keep the CIA or NSA from breaking in.
Am I way off in my perception of how the lifetime function works, or how quickly DES can be compromised?
dont use DES if you are concerned about security or unless forced to do so, the keys are small (56 bit) and therefore weak, as a result it is considered insecure
use 3DES or any of the others