STIGQter: STIG Summary: Virtual Private Network (VPN) Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions.

DISA Rule

SV-207257r608988_rule

Vulnerability Number

V-207257

Group Title

SRG-NET-000525

Rule Version

SRG-NET-000525-VPN-002330

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Configure the IPsec Gateway to use AES for the IPsec proposal. The following example commands configure the IPsec (phase 2) proposals. The option may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.

Check Contents

Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IPsec proposal is not set to use an AES algorithm, this is a finding.

Vulnerability Number

V-207257

Documentable

False

Rule Version

SRG-NET-000525-VPN-002330

Severity Override Guidance

Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IPsec proposal is not set to use an AES algorithm, this is a finding.

Check Content Reference

M

Target Key

2920

Comments