STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-214681r385561_rule
V-214681
SRG-NET-000512
JUSX-VN-000014
CAT II
10
Configure Phase 2 for ESP and allow IKE as a host-inbound service within the security zone associated with the IKE gateway’s external interface configuration. Any traffic that you wish to encrypt is routed to this tunnel interface.
Example:
[edit
set security ipsec proposal IPSEC-PROPOSAL protocol esp
Assumes the external interface is associated with the “untrust” zone.
[edit]
set security ike gateway <IKE-PEER> external-interface <EXTERNAL-INTERFACE-NAME>
set security zones security-zone untrust host-inbound-traffic system-services ike
Review all IPsec profiles and zones to verify ESP tunnel mode has been specified.
[edit]
show security ipsec proposal
show security zones security-zone untrust
If all IPsec proposals are not configured for the ESP protocol, this is a finding.
If an Internet Key Exchange (IKE) is not bound to an external host-inbound service to direct all inbound VPN traffic to the VPN interface configured for IKE, this is a finding.
V-214681
False
JUSX-VN-000014
Review all IPsec profiles and zones to verify ESP tunnel mode has been specified.
[edit]
show security ipsec proposal
show security zones security-zone untrust
If all IPsec proposals are not configured for the ESP protocol, this is a finding.
If an Internet Key Exchange (IKE) is not bound to an external host-inbound service to direct all inbound VPN traffic to the VPN interface configured for IKE, this is a finding.
M
4009