The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-214670	JUSX-VN-000003	SV-214670r695320_rule		Medium

Description
When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.

Description

When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.

STIG	Date
Juniper SRX Services Gateway VPN Security Technical Implementation Guide	2021-03-25

Details

Check Text ( C-15871r695319_chk )
Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The idle time value must be one hour or less. If idle time is not configured, determine the default used by the gateway. The default value is 28800 seconds which is compliant. [edit] show security ike proposal View the value of the lifetime-seconds option. If the IKE security associations are not renegotiated after 24 hours or less of idle time, this is a finding.

Check Text ( C-15871r695319_chk )

Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The idle time value must be one hour or less. If idle time is not configured, determine the default used by the gateway. The default value is 28800 seconds which is compliant.

[edit]
show security ike proposal

View the value of the lifetime-seconds option.

If the IKE security associations are not renegotiated after 24 hours or less of idle time, this is a finding.

Fix Text (F-15869r297598_fix)
Specify the lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation. Example: [edit] set security ike proposal lifetime-seconds 86400