The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.

An XCCDF Rule

Description

<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-239952r666262_rule
Severity: Medium
References: CCI-000382
Updated: 8 months ago

Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations.

Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption …
ASA1(config)# crypto ikev2 enable OUTSIDE

Step 2: Configure IKE for the IPsec Phase 2.

ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS

The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.

Description

Remediation - Manual Procedure