STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Virtual Private Network (VPN) Security Requirements Guide

V-207238

CAT II (Medium)

The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less.

Rule ID

SV-207238r987783_rule

STIG

Virtual Private Network (VPN) Security Requirements Guide

Version

V3R4

CCIs

CCI-002036

Discussion

When a VPN gateway creates an IPsec SA, resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended.

Check Content

Verify the VPN Gateway renegotiates the IKE security association after eight hours or less.

If the VPN Gateway does not renegotiate the IKE security association after eight hours or less, this is a finding.

Fix Text

Configure the VPN Gateway to renegotiate the IKE security association after eight hours or less.