Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-207237 | SRG-NET-000337-VPN-001290 | SV-207237r561344_rule | Medium |
| Description |
|---|
| The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the lifetime of the IPsec SA, the longer the lifetime of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPsec peers to renegotiate Phase II more often resulting in the expenditure of additional resources. Specify the lifetime (in seconds) of an Internet Key Exchange (IKE) security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation. |
| STIG | Date |
|---|---|
| Virtual Private Network (VPN) Security Requirements Guide | 2020-10-02 |
Details
| Check Text ( C-7497r378332_chk ) |
|---|
| Verify the IPsec VPN Gateway renegotiates the security association after 8 hours or less, or an organization-defined period. If the IPsec VPN Gateway does not renegotiate the security association after 8 hours or less, or an organization-defined period, this is a finding. |
| Fix Text (F-7497r378333_fix) |
|---|
| Configure the IPsec VPN Gateway to renegotiate the security association after 8 hours or less, or an organization-defined period. |