UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30941 NET-VPN-020 SV-40983r1_rule ECSC-1 High
Description
Both IPSec endpoints must authenticate each other to ensure the identity of each by additional means besides an IP address which can easily be spoofed. The objective of IPSec is to establish a secured tunnel with privacy between the two endpoints traversing an IP backbone network. In the case of teleworkers accessing the enclave using a laptop configured with an IPSec software client, the secured path will also traverse the Internet. The secured path will grant the remote site or client access to resources within the private network; thereby establishing a level of trust. Hence, it is imperative that some form of authentication is used prior to establishing an IPSec session for transporting data to and from the enclave from a remote site.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-39601r1_chk )
Review the VPN gateway configuration to determine if either username/password or certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.
Fix Text (F-34751r1_fix)
Configure the VPN gateway to authenticate the remote end-point prior to establishing an IPSec session. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.