UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30961 NET-VPN-170 SV-41003r1_rule ECSC-1 Low
Description
When a VPN gateway creates an IPSec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPSec endpoint inactivity which could result in the gateway’s inability to create new SAs for other endpoints; thereby, preventing new sessions from connecting. The IPSec SA idle timer allows SAs associated with inactive endpoints to be deleted before the SA lifetime has expired.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-39620r2_chk )
Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured idle time. The idle time value must be 1 hour or less. If idle time is not configured, determine the default used by the gateway.
Fix Text (F-34770r1_fix)
Configure an idle time value of 1 hour or less for all IPSec security associations either within IPSec profiles or as a global command.