UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 2.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30963 NET-VPN-110 SV-41005r1_rule ECSC-1 Low
Description
Diffie-Hellman (DH) is a public -key cryptography scheme allowing two parties to establish a shared secret over an insecure communications channel. IKE uses Diffie-Hellman to create keys used to encrypt both the Internet Key Exchange (IKE) and IPSec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. With Perfect Forward Secrecy (PFS), every time a new IPSec SA is negotiated during the Quick Mode, a new DH exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from Phase 1) for generating a new IPSec session key. If PFS is not used, the IPSec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2013-10-08

Details

Check Text ( C-39623r3_chk )
Review the VPN gateway configuration to determine if Perfect Forward Secrecy (PFS) is enabled. If PFS is enabled, it must use DH Group 2. For most platforms, PFS is enabled by default using DH Group 1. Examine all ISAKMP profiles and crypto maps to verify PFS is enabled using DH Group 2.
Fix Text (F-34773r1_fix)
Configure the VPN gateway to ensure Diffie-Hellman Group 2 or larger is used when enabling PFS.