The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-30965 | NET-VPN-120 | SV-41007r1_rule | ECSC-1 | Low |
| Description |
|---|
| The Security Association (SA) and its corresponding key will expire after the number of seconds has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure a new SA is ready for use when the old one expires. The longer the life time of the Internet Key Exchange (IKE) Security Association, the longer the life time of the key used for the IKE session, which is the control plane for establishing IPSec Security Associations. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter IKE lifetime causes IPSec peers to have to renegotiate IKE more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IKE SA lifetime terminates within 24 hours or less. |
| STIG | Date |
|---|---|
| IPSec VPN Gateway Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-39625r1_chk ) |
|---|
| Review all ISAKMP policies configured on the VPN gateway and examine the configured lifetime. The lifetime value must be 24 hours or less. If they are not configured, determine the default that used by the gateway. |
| Fix Text (F-34776r1_fix) |
|---|
| Configure a lifetime value of 24 hours or less for all ISAKMP polices. |