Check: SRG-NET-000337-VPN-001300
Virtual Private Network (VPN) SRG:
SRG-NET-000337-VPN-001300
(in versions v3 r3 through v2 r6)
Title
The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less. (Cat II impact)
Discussion
When a VPN gateway creates an IPsec SA, resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended.
Check Content
Verify the VPN Gateway renegotiates the IKE security association after eight hours or less. If the VPN Gateway does not renegotiate the IKE security association after eight hours or less, this is a finding.
Fix Text
Configure the VPN Gateway to renegotiate the IKE security association after eight hours or less.
Additional Identifiers
Rule ID: SV-207238r987783_rule
Vulnerability ID: V-207238
Group Title: SRG-NET-000337
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002036 |
Defines the circumstances or situations under which users will be required to reauthenticate. |
Controls
| Number | Title |
|---|---|
| IA-11 |
Re-authentication |