STIGQter: STIG Summary: Virtual Private Network (VPN) Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.

DISA Rule

SV-207246r695315_rule

Vulnerability Number

V-207246

Group Title

SRG-NET-000375

Rule Version

SRG-NET-000375-VPN-001690

Severity

CAT II

CCI(s)

• CCI-002423 - The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards.

Weight

10

Fix Recommendation

Configure the IPsec VPN Gateway to use ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.

Check Contents

Verify the IPsec VPN Gateway uses ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.

If the IPsec VPN Gateway does not enable ESP tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations, this is a finding.

Vulnerability Number

V-207246

Documentable

False

Rule Version

SRG-NET-000375-VPN-001690

Severity Override Guidance

Verify the IPsec VPN Gateway uses ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.

If the IPsec VPN Gateway does not enable ESP tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations, this is a finding.

Check Content Reference

M

Target Key

2920

Comments