STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-214670r695320_rule
V-214670
SRG-NET-000517
JUSX-VN-000003
CAT II
10
Specify the lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation.
Example:
[edit]
set security ike proposal <P1-PROPOSAL-NAME> lifetime-seconds 86400
Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The idle time value must be one hour or less. If idle time is not configured, determine the default used by the gateway. The default value is 28800 seconds which is compliant.
[edit]
show security ike proposal
View the value of the lifetime-seconds option.
If the IKE security associations are not renegotiated after 24 hours or less of idle time, this is a finding.
V-214670
False
JUSX-VN-000003
Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The idle time value must be one hour or less. If idle time is not configured, determine the default used by the gateway. The default value is 28800 seconds which is compliant.
[edit]
show security ike proposal
View the value of the lifetime-seconds option.
If the IKE security associations are not renegotiated after 24 hours or less of idle time, this is a finding.
M
4009