Title

The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations. (Cat II impact)

Discussion

ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information. ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.

Check Content

Verify the IPsec VPN Gateway uses ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations. If the IPsec VPN Gateway does not enable ESP tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations, this is a finding.

Fix Text

Configure the IPsec VPN Gateway to use ESP in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.

Additional Identifiers

Rule ID: SV-207246r856721_rule

Vulnerability ID: V-207246

Group Title: SRG-NET-000375

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.