STIGQter: STIG Summary: Virtual Private Network (VPN) Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group.

DISA Rule

SV-207193r608988_rule

Vulnerability Number

V-207193

Group Title

SRG-NET-000074

Rule Version

SRG-NET-000074-VPN-000250

Severity

CAT I

CCI(s)

CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

Fix Recommendation

Configure the IPsec VPN to us the FIPS 140-2 DH group. The following command is an example of how to configure the IKE (phase 1) proposals.

The following groups are allowed for use in DoD:
DH Groups 14 (2048-bit MODP)
- 19 (256-bit Random ECP), 20 (384-bit Random ECP), 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS).

Check Contents

Verify all IKE proposals are set to use a FIPS-validated dh-group.

View the IKE options dh-group option.

If the IKE option is not set to a FIPS 140-2 validated dh-group, this is a finding.

Vulnerability Number

V-207193

Documentable

False

Rule Version

SRG-NET-000074-VPN-000250

Severity Override Guidance

Verify all IKE proposals are set to use a FIPS-validated dh-group.

View the IKE options dh-group option.

If the IKE option is not set to a FIPS 140-2 validated dh-group, this is a finding.

Check Content Reference

Target Key

2920

The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments