Rule ID
SV-239964r1015264_rule
Version
V2R2
When a VPN gateway creates an IPsec security association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.
Verify the VPN gateway renegotiates the IKE security association after 24 hours or less as shown in the example below. crypto ikev2 policy 2 encryption … … … … lifetime seconds 86400 If the VPN gateway does not renegotiate the IKE security association after 24 hours or less, this is a finding.
Configure the VPN gateway to renegotiate the IKE security association after 24 hours or less as shown in the example below. ASA2(config)# crypto ikev2 policy 2 ASA2(config-ikev2-policy)# lifetime seconds 86400 ASA2(config-ikev2-policy)# end