The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of ESP tunnel mode not used for IPSec session.

Associated with IA controls: ECSC-1

SV-41006r1_rule The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.

Vulnerability discussion

Encapsulating Security Payload (ESP) is the feature in the IPSec architecture providing confidentiality, data origin authentication, integrity, and anti-replay services. ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPSec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted; whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPSec gateways, or between an IPSec gateway and an end-station running IPSec software. Hence, it is the only method to provide secured path to transport traffic between remote sites or end-stations and the central site.

Check content

Review all transform sets defined in IPSec profiles and crypto maps and verify ESP tunnel mode has been specified. If the mode is not configured, determine the default for the VPN gateway.

Fix text

Configure all IPSec transform sets to use ESP tunnel mode.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer