The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-239952 | SRG-NET-000132-VPN-000460 | CASA-VN-000160 | SV-239952r666262_rule | 2024-08-22 | 2 |
| Description |
|---|
| In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms. |
| ℹ️ Check |
|---|
| Verify the ASA is configured to use IKEv2 for IPsec VPN security associations. Step 1: Verify that IKE is configured for the IPsec Phase 1 policy and enabled on applicable interfaces. crypto ikev2 policy 1 encryption … crypto ikev2 enable OUTSIDE Step 2: Verify that IKE is configured for the IPsec Phase 2. crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS protocol esp encryption … If the ASA is not configured to use IKEv2 for all IPsec VPN security associations, this is a finding. |
| ✔️ Fix |
|---|
| Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations. Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption … ASA1(config)# crypto ikev2 enable OUTSIDE Step 2: Configure IKE for the IPsec Phase 2. ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS |