The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207253	SRG-NET-000512-VPN-002230	SV-207253r608988_rule		High

Description
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.

Description

Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.

STIG	Date
Virtual Private Network (VPN) Security Requirements Guide	2021-03-25

Details

Check Text ( C-7513r378380_chk )
Verify the VPN Gateway does not accept certificates that have been revoked when using PKI for authentication. If the VPN Gateway accepts certificates that have been revoked when using PKI for authentication, this is a finding.

Fix Text (F-7513r378381_fix)
Configure the VPN Gateway to not accept certificates that have been revoked when using PKI for authentication.