The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 14 or greater for Internet Key Exchange (IKE) Phase 1.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239957	CASA-VN-000210	SV-239957r666277_rule		High

Description
Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.

Description

Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.

STIG	Date
Cisco ASA VPN Security Technical Implementation Guide	2021-08-16

Details

Check Text ( C-43190r666275_chk )
Review the ASA configuration to determine if DH Group of 14 or greater has been specified for IKE Phase 1 as shown in the example below. crypto ikev2 policy 1 encryption aes-256 … group 24 If DH Group of 14 or greater has not been specified for IKE Phase 1, this is a finding.

Fix Text (F-43149r666276_fix)
Configure the ASA to use a DH Group of 14 or greater as shown in the example below. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# group 24