|Finding ID||Version||Rule ID||IA Controls||Severity|
|In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.|
|Cisco ASA VPN Security Technical Implementation Guide||2021-08-16|
|Check Text ( C-43185r666260_chk )|
| Verify the ASA is configured to use IKEv2 for IPsec VPN security associations. |
Step 1: Verify that IKE is configured for the IPsec Phase 1 policy and enabled on applicable interfaces.
crypto ikev2 policy 1
crypto ikev2 enable OUTSIDE
Step 2: Verify that IKE is configured for the IPsec Phase 2.
crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
protocol esp encryption …
If the ASA is not configured to use IKEv2 for all IPsec VPN security associations, this is a finding.
|Fix Text (F-43144r666261_fix)|
| Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations. |
Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.
ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption …
ASA1(config)# crypto ikev2 enable OUTSIDE
Step 2: Configure IKE for the IPsec Phase 2.
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS