The VPN gateway must use IKE for negotiating and establishing all IPSec security associations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30939	NET-VPN-010	SV-40981r1_rule	ECSC-1	High

Description
An IPSec Security Associations (SA) is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. With manual configuration of the IPSec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPSec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA which could result in a rouge device establishing an IPSec SA with either of the VPN end points. IKE provides primary authentication to verify the identity of the remote system before negotiation begins. IKE also enables anti-replay services and will establish a lifetime for each IPSec session. These features are lost when the IPSec security associations are manually configured which results in a non-terminating session using static pre-shared keys.

Description

An IPSec Security Associations (SA) is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. With manual configuration of the IPSec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPSec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA which could result in a rouge device establishing an IPSec SA with either of the VPN end points. IKE provides primary authentication to verify the identity of the remote system before negotiation begins. IKE also enables anti-replay services and will establish a lifetime for each IPSec session. These features are lost when the IPSec security associations are manually configured which results in a non-terminating session using static pre-shared keys.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39599r2_chk )
Review the VPN gateway configuration to determine if there are any IPSec crypto maps enabled in manual mode. The crypto map will specify that it is manual and will define the remote peer, what traffic is to be protected, as well as the cipher key and encryption algorithm to be used for encrypting the IP packets.

Fix Text (F-34748r1_fix)
Configure the VPN gateway to use IKE for establishing all IPSec security associations. An ISAKMP policy must be configured to define the IKE security association which will include the peer, the authentication method, encryption suite, and Diffie-Hellman group.