Title

The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations. (Cat II impact)

Discussion

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.

Check Content

Verify the ASA is configured to use IKEv2 for IPsec VPN security associations. Step 1: Verify that IKE is configured for the IPsec Phase 1 policy and enabled on applicable interfaces. crypto ikev2 policy 1 encryption … crypto ikev2 enable OUTSIDE Step 2: Verify that IKE is configured for the IPsec Phase 2. crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS protocol esp encryption … If the ASA is not configured to use IKEv2 for all IPsec VPN security associations, this is a finding.

Fix Text

Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations. Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption … ASA1(config)# crypto ikev2 enable OUTSIDE Step 2: Configure IKE for the IPsec Phase 2. ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS

Additional Identifiers

Rule ID: SV-239952r666262_rule

Vulnerability ID: V-239952

Group Title: SRG-NET-000132-VPN-000460

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.