UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group.


Overview

Finding ID Version Rule ID IA Controls Severity
V-97059 SRG-NET-000074-VPN-000250 SV-106197r1_rule High
Description
Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.
STIG Date
Virtual Private Network (VPN) Security Requirements Guide 2019-07-26

Details

Check Text ( C-95895r1_chk )
Verify all IKE proposals are set to use a FIPS-validated dh-group.

View the IKE options dh-group option.

If the IKE option is not set to a FIPS 140-2 validated dh-group, this is a finding.
Fix Text (F-102739r1_fix)
Configure the IPsec VPN to us the FIPS 140-2 DH group. The following command is an example of how to configure the IKE (phase 1) proposals.

The following groups are allowed for use in DoD:
DH Groups 14 (2048-bit MODP)
- 19 (256-bit Random ECP), 20 (384-bit Random ECP), 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS).