STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Virtual Private Network (VPN) Security Requirements Guide

V-207193

CAT I (High)

The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.

Rule ID

SV-207193r916149_rule

STIG

Virtual Private Network (VPN) Security Requirements Guide

Version

V3R4

CCIs

CCI-000068

Discussion

Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.

Check Content

Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.

View the IKE options dh-group option.

If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.

Fix Text

Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.