The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 1.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of DH Group 14 or larger not used for IKE Phase 1.

SV-41001r2_rule The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 1.

Vulnerability discussion

Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPsec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, group 5 uses a 1536 bit modulus, and group 14 uses a 2048 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.

Check content

Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 14 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways. If the Diffie-Hellman group is not set to 14 or larger, this is a finding.

Fix text

Configure the VPN gateway to ensure Diffie-Hellman Group 14 or larger is used.

Pro Tips

Powered by sagemincer