The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239952 | CASA-VN-000160 | SV-239952r666262_rule | Medium |
| Description |
|---|
| In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms. |
| STIG | Date |
|---|---|
| Cisco ASA VPN Security Technical Implementation Guide | 2021-08-16 |
Details
| Check Text ( C-43185r666260_chk ) |
|---|
| Verify the ASA is configured to use IKEv2 for IPsec VPN security associations. Step 1: Verify that IKE is configured for the IPsec Phase 1 policy and enabled on applicable interfaces. crypto ikev2 policy 1 encryption … crypto ikev2 enable OUTSIDE Step 2: Verify that IKE is configured for the IPsec Phase 2. crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS protocol esp encryption … If the ASA is not configured to use IKEv2 for all IPsec VPN security associations, this is a finding. |
| Fix Text (F-43144r666261_fix) |
|---|
| Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations. Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption … ASA1(config)# crypto ikev2 enable OUTSIDE Step 2: Configure IKE for the IPsec Phase 2. ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS |