The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 1.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30959	NET-VPN-090	SV-41001r2_rule		Low

Description
Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPsec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, group 5 uses a 1536 bit modulus, and group 14 uses a 2048 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.

Description

Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPsec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, group 5 uses a 1536 bit modulus, and group 14 uses a 2048 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39619r2_chk )
Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 14 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways. If the Diffie-Hellman group is not set to 14 or larger, this is a finding.

Check Text ( C-39619r2_chk )

Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 14 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways. If the Diffie-Hellman group is not set to 14 or larger, this is a finding.

Fix Text (F-34769r2_fix)
Configure the VPN gateway to ensure Diffie-Hellman Group 14 or larger is used.