STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Aruba Networking AOS VPN Security Technical Implementation Guide

V-266986

CAT II (Medium)

AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.

Rule ID

SV-266986r1040894_rule

STIG

HPE Aruba Networking AOS VPN Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002450

Discussion

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The National Security Agency/Central Security Service's (NSA/CSS) CSfC program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by the NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum-resistant algorithms will be required for future required Suite B implementations. Satisfies: SRG-NET-000352-VPN-001460, SRG-NET-000565-VPN-002390, SRG-NET-000565-VPN-002400

Check Content

If AOS is not being used for CSFC, this requirement is not applicable.
 
1. Verify the AOS configuration with the following command:
show crypto-local ipsec-map
 
Note the IKEv2 Policy number for each configured map.
 
2. For each configured policy number, run the following command:
show crypto isakmp policy <IKEv2 Policy #>
 
3. Verify each configured transform-set by running the following command:
show crypto ipsec transform-set
 
If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding:
ECDCA 384 certificate
IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20
Transform set with AES-256-GCM

Fix Text

Configure AOS with the following commands:

1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
2. Use DOD PKI to generate a public certificate based on the CSR.
3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates.
4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". 
5. Navigate to Configuration >> System >> Admin and choose the imported certificate under "Server Certificate" and click "Submit". 
6. Click Pending Changes >> Deploy Changes. 

configure terminal
crypto ipsec transform-set <name> esp-aes256-gcm
crypto isakmp policy <#>
authentication ecdsa-384
encryption aes256
group 20
hash sha2-384-192
prf prf-hmac-sha384
version v2
exit
crypto-local ipsec-map <name> <priority>
set transform-set <set created earlier name>
<configure VPN settings as needed>
exit
write memory