The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-239952 | CASA-VN-000160 | SV-239952r666262_rule | CCI-000382 | medium |
| Description | ||||
| In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms. | ||||
| STIG | Date | |||
| Cisco ASA VPN Security Technical Implementation Guide | 2024-08-22 | |||
Details
Check Text (C-239952r666262_chk)
Verify the ASA is configured to use IKEv2 for IPsec VPN security associations.
Step 1: Verify that IKE is configured for the IPsec Phase 1 policy and enabled on applicable interfaces.
crypto ikev2 policy 1
encryption …
crypto ikev2 enable OUTSIDE
Step 2: Verify that IKE is configured for the IPsec Phase 2.
crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
protocol esp encryption …
If the ASA is not configured to use IKEv2 for all IPsec VPN security associations, this is a finding.
Fix Text (F-43144r666261_fix)
Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations.
Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.
ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption …
ASA1(config)# crypto ikev2 enable OUTSIDE
Step 2: Configure IKE for the IPsec Phase 2.
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS