STIGQter: STIG Summary: Virtual Private Network (VPN) Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.

DISA Rule

SV-207230r608988_rule

Vulnerability Number

V-207230

Group Title

SRG-NET-000317

Rule Version

SRG-NET-000317-VPN-001090

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Configure the IPsec Gateway to use AES with IKE. The option on the IKE Phase 1 proposal may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.

Check Contents

Verify all IKE proposals are set to use the AES encryption algorithm.

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.

Vulnerability Number

V-207230

Documentable

False

Rule Version

SRG-NET-000317-VPN-001090

Severity Override Guidance

Verify all IKE proposals are set to use the AES encryption algorithm.

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.

Check Content Reference

M

Target Key

2920

Comments