https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276981#M105405 <P>You'd probably have to go back to Secure Client days (more than 20 years now) to find a client that doesn't support AES.<BR />Any you find that don't should likely be upgraded to a supported version.&nbsp;</P> Fri, 15 May 2026 22:33:21 GMT PhoneBoy 2026-05-15T22:33:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276979#M105403 <P>Hi everyone!</P> <P data-end="116" data-start="0">I’d like to validate something with the community regarding legacy encryption algorithms in Remote Access VPN (C2S).</P> <P data-end="286" data-start="118">We are planning to disable <STRONG data-end="161" data-start="145">DES and 3DES</STRONG> in both <STRONG data-end="197" data-start="170">IKE Phase 1 and Phase 2</STRONG> on our Check Point Remote Access VPN environment due to security hardening requirements.</P> <P data-end="432" data-start="288">Before proceeding, we want to understand whether this could impact users running the following client versions that we identified in production:</P> <P data-end="432" data-start="288">1.0.18.0<BR />1.6<BR />1.601.42<BR />1.601.47<BR />1.601.49<BR />1.601.51<BR />E85.30<BR />E85.40<BR />E86.00<BR />E86.20<BR />E86.50<BR />E86.80<BR />E87.00<BR />E87.20<BR />E87.31<BR />E88.10<BR />E88.20<BR />E88.30<BR />E88.40<BR />E88.60<BR />E88.63<BR />E88.70<BR />E88.72<BR />E89.00<BR />E89.10<BR />E89.11<BR />E89.20</P> <P data-end="658" data-start="643">Main questions:</P> <UL data-end="1218" data-start="660"> <LI data-end="776" data-start="660" data-section-id="tex8hu">Has anyone disabled DES/3DES in Remote Access VPN and experienced issues with older Endpoint Security VPN clients?</LI> <LI data-end="879" data-start="777" data-section-id="wkm2sm">Are all E85+ clients expected to fully support AES-only configurations for both Phase 1 and Phase 2?</LI> <LI data-end="1005" data-start="880" data-section-id="1lte1ds">Is there any official documentation or SK/article that maps supported VPN encryption algorithms by Endpoint client version?</LI> <LI data-end="1144" data-start="1006" data-section-id="w0lvfh">Besides checking the encryption suite, are there any additional compatibility validations you would recommend before disabling DES/3DES?</LI> </UL> <P data-end="1319" data-start="1220">Our goal is to move toward stronger crypto standards without unexpectedly impacting legacy clients.</P> <P data-is-only-node="" data-is-last-node="" data-end="1408" data-start="1321">Any insights, field experience, or relevant documentation would be greatly appreciated.</P> Fri, 15 May 2026 21:25:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276979#M105403 jennyado 2026-05-15T21:25:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276981#M105405 <P>You'd probably have to go back to Secure Client days (more than 20 years now) to find a client that doesn't support AES.<BR />Any you find that don't should likely be upgraded to a supported version.&nbsp;</P> Fri, 15 May 2026 22:33:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276981#M105405 PhoneBoy 2026-05-15T22:33:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276988#M105406 <P>I totally get the point Phoneboy made.</P> Sun, 17 May 2026 02:31:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Impact-when-disabling-DES-3DES-for-Endpoint-VPN-clients/m-p/276988#M105406 the_rock 2026-05-17T02:31:52Z