UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must implement IPSec security associations that terminate within 8 hours or less.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30962 NET-VPN-160 SV-41004r1_rule ECSC-1 Low
Description
The IPSec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the life time of the IPSec Security Association, the longer the life time of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPSec peers to have to renegotiate IKE Phase II more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IPSec SA lifetime terminates within 8 hours.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2017-03-02

Details

Check Text ( C-39622r1_chk )
Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured lifetime. The lifetime value must be 8 hours or less. If they are not configured, determine the default that used by the gateway.
Fix Text (F-34772r1_fix)
Configure a lifetime value of 8 hours or less for all IPSec security associations either within IPSec profiles or as a global command.