Details
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.
Solution
Configure the IPsec VPN Gateway to use IKEv2 for all IPsec VPN Security Associations.
Step 1: Configure IKE for the IPsec Phase 1 policy and enable it on applicable interfaces.
ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption …
ASA1(config)# crypto ikev2 enable OUTSIDE
Step 2: Configure IKE for the IPsec Phase 2.
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.
References
- 800-53|CM-7b.
- CAT|II
- CCI|CCI-000382
- Rule-ID|SV-239952r666262_rule
- STIG-ID|CASA-VN-000160
- Vuln-ID|V-239952