Navigate

Check: SRG-NET-000132-VPN-000460

Virtual Private Network (VPN) SRG: SRG-NET-000132-VPN-000460 (in versions v3 r3 through v1 r0.1)

Title

The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. (Cat II impact)

Discussion

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.

Check Content

Verify the IPsec VPN Gateway uses IKEv2 for IPsec VPN security associations. If the IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations, this is a finding.

Fix Text

Configure the IPsec VPN Gateway to use IKEv2 for IPsec VPN security associations.

Additional Identifiers

Rule ID: SV-207205r608988_rule

Vulnerability ID: V-207205

Group Title: SRG-NET-000132

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000382	Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-7	Least Functionality