UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 1.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30959 NET-VPN-090 SV-41001r1_rule ECSC-1 Low
Description
Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPSec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways, supporting DH groups 1, 2, and 5. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, and group 5 uses a 1536 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2016-09-28

Details

Check Text ( C-39619r1_chk )
Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 2 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways.
Fix Text (F-34769r1_fix)
Configure the VPN gateway to ensure Diffie-Hellman Group 2 or larger is used.