The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.

An XCCDF Rule

Description

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.

ID: SV-239952r666262_rule
Version: CASA-VN-000160
Severity: Medium
References: CCI-000382
Updated: 5 days ago

Remediation Templates

Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations.

Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption …
ASA1(config)# crypto ikev2 enable OUTSIDE

Step 2: Configure IKE for the IPsec Phase 2.

ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS

The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.

Description

Remediation Templates

A Manual Procedure