Information
Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway.
The IPSec tunnel end points may be configured on the OOBM gateway routers connecting the managed network and the NOC. They may also be configured on a firewall or VPN concentrator located behind the gateway router. In either case, the crypto access-list used to identify the traffic to be protected must be a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.
NOTE: This check requires manual verification that the crypto access-list are mirrored on other VPN equipment located behind the gateway router.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.