CASA-VN-000160 - The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations - Interface

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.

Solution

Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations.

Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption ...

ASA1(config)# crypto ikev2 enable OUTSIDE

Step 2: Configure IKE for the IPsec Phase 2.

ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y23M01_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000382, Rule-ID|SV-239952r666262_rule, STIG-ID|CASA-VN-000160, Vuln-ID|V-239952

Plugin: Cisco

Control ID: c3b0802b3f90aa4f3dcfa2ab42d1933f3d2abbfeae5dd1a1d81ea07cdb8bae99