https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195432#M36392 <P>3DES is a no go for today's standards and SHA-1 is being phased out. I have been using the following for site-to-site VPNs with 3rd parties:</P><P>IKEv2</P><P>Phase1: AES-256 / SHA256 - Group 19 / 1440 minutes</P><P>Phase2: AES-GCM-256 / 3600 seconds</P><P>It would be nice to be able to use GCM in Phase1, but that option is not available currently. Ideally you want a minimum key size of 256 for everything. I would be curious to see what others recommend as well for encryption.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 17 Oct 2023 14:37:56 GMT CaseyB 2023-10-17T14:37:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195419#M36384 <P>Hi everyone,</P><P>I was just wondering was the general feeling was about the phase 1/2 encryption protocols between a Checkpoint appliance and a third party device (Sonicwall, Draytec etc) in todays world?</P><P>I'm just looking at one now and these are the requested settings, which to me look a little outdated:</P><P>Phase 1</P><P>DH Group 2</P><P>3DES encryption</P><P>SHA1 integrity</P><P>Renegotiate IKE every 28800 seconds</P><P>&nbsp;</P><P>Phase 2</P><P>3DES encryption</P><P>SHA1 integrity</P><P>Renegotiate IPsec every 3600 seconds</P><P>Thanks,</P><P>Steve</P> Tue, 17 Oct 2023 14:08:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195419#M36384 Steve_Pearson 2023-10-17T14:08:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195426#M36388 <P>Hi Steve,<BR /><BR />Those settings are indeed not recommended.<BR /><BR />3des is less secure and less efficient than AES suites.</P><P>&nbsp;</P><P>You could use anything from AES-256 + Sha2 and up.</P><P>&nbsp;</P><P>Enable PFS&nbsp; in phase 2 only if extreme security is needed</P> Tue, 17 Oct 2023 14:22:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195426#M36388 Machine_Head 2023-10-17T14:22:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195432#M36392 <P>3DES is a no go for today's standards and SHA-1 is being phased out. I have been using the following for site-to-site VPNs with 3rd parties:</P><P>IKEv2</P><P>Phase1: AES-256 / SHA256 - Group 19 / 1440 minutes</P><P>Phase2: AES-GCM-256 / 3600 seconds</P><P>It would be nice to be able to use GCM in Phase1, but that option is not available currently. Ideally you want a minimum key size of 256 for everything. I would be curious to see what others recommend as well for encryption.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 17 Oct 2023 14:37:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-configuration/m-p/195432#M36392 CaseyB 2023-10-17T14:37:56Z