The VPN gateway must use AES for IKE cryptographic encryption operations required to ensure privacy of the IKE session.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30952	NET-VPN-070	SV-40994r1_rule	ECSC-1	High

Description
While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus that it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. To ensure the privacy of the IKE session responsible for establishing the security association and key exchange for an IPSec tunnel, it is imperative that AES is used for encryption operations.

Description

While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus that it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. To ensure the privacy of the IKE session responsible for establishing the security association and key exchange for an IPSec tunnel, it is imperative that AES is used for encryption operations.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39612r1_chk )
Examine all ISAKMP policies configured on the VPN gateway to determine what encryption algorithm is being used for establishing an IKE Security Association.

Fix Text (F-34762r1_fix)
Configure all ISAKMP policies to use AES for IKE cryptographic encryption operations.