The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30961	NET-VPN-170	SV-41003r1_rule	ECSC-1	Low

Description
When a VPN gateway creates an IPSec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPSec endpoint inactivity which could result in the gateway’s inability to create new SAs for other endpoints; thereby, preventing new sessions from connecting. The IPSec SA idle timer allows SAs associated with inactive endpoints to be deleted before the SA lifetime has expired.

Description

When a VPN gateway creates an IPSec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPSec endpoint inactivity which could result in the gateway’s inability to create new SAs for other endpoints; thereby, preventing new sessions from connecting. The IPSec SA idle timer allows SAs associated with inactive endpoints to be deleted before the SA lifetime has expired.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39620r2_chk )
Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured idle time. The idle time value must be 1 hour or less. If idle time is not configured, determine the default used by the gateway.

Fix Text (F-34770r1_fix)
Configure an idle time value of 1 hour or less for all IPSec security associations either within IPSec profiles or as a global command.