UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30965 NET-VPN-120 SV-41007r1_rule ECSC-1 Low
Description
The Security Association (SA) and its corresponding key will expire after the number of seconds has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure a new SA is ready for use when the old one expires. The longer the life time of the Internet Key Exchange (IKE) Security Association, the longer the life time of the key used for the IKE session, which is the control plane for establishing IPSec Security Associations. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter IKE lifetime causes IPSec peers to have to renegotiate IKE more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IKE SA lifetime terminates within 24 hours or less.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2015-09-21

Details

Check Text ( C-39625r1_chk )
Review all ISAKMP policies configured on the VPN gateway and examine the configured lifetime. The lifetime value must be 24 hours or less. If they are not configured, determine the default that used by the gateway.
Fix Text (F-34776r1_fix)
Configure a lifetime value of 24 hours or less for all ISAKMP polices.