topic Re: s2s VPN settings in Firewall and Security Management

s2s VPN settings

D_TK — Thu, 12 May 2022 18:21:04 GMT

Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago. This is all checkpoint <-> checkpoint equipment. Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity. Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?

All versions are currently r81.10 hotfix 45

thanks

Re: s2s VPN settings

Timothy_Hall — Thu, 12 May 2022 22:28:39 GMT

Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP. May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS. These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.

Re: s2s VPN settings

D_TK — Thu, 12 May 2022 22:54:11 GMT

Thanks Tim, appreciate your advice.