topic Re: VPN Performance Question in General Topics

VPN Performance Question

tniop_kcehc — Thu, 06 Feb 2020 20:41:13 GMT

We are working on a new firewall concept for our company. Now the question has arisen, which encryption is the most effective and at the same time offers a high level of protection?

Are there any experiences or recommendations here?

Re: VPN Performance Question

HeikoAnkenbrand — Thu, 06 Feb 2020 20:54:48 GMT

Hi @tniop_kcehc
(nice community name:-)

Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.

AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:

Site-to-Site VPN
Remote Access VPN
Mobile Access
HTTPS Interception

With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.

Warning notice: If you execute this command you have 100% CPU usage for a long time!

# cpopenssl speed

This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.

I had published an article about this that might help you:

R80.x - Performance Tuning Tip - AES-NI

Re: VPN Performance Question

tniop_kcehc — Thu, 06 Feb 2020 20:59:07 GMT

Hi @HeikoAnkenbrand

I'm going to test this command "cpopenssl speed" in a maintenance window on our current firewall.

Thank you.

Re: VPN Performance Question

HeikoAnkenbrand — Thu, 06 Feb 2020 21:01:56 GMT

Hi @tniop_kcehc,

I like to use the following for phase 1 and phase 2:
AES256
SHA256

This is a middle way between performance and security.

Regards

Heiko

Re: VPN Performance Question

tniop_kcehc — Thu, 06 Feb 2020 21:04:10 GMT

THX👍

Re: VPN Performance Question

Jan_Elbers — Fri, 07 Feb 2020 13:12:43 GMT

Isn't it better to use a higher encryption standard.

Re: VPN Performance Question

KelvinB — Fri, 07 Feb 2020 13:43:13 GMT

I think higher encryption is better.

Re: VPN Performance Question

Timothy_Hall — Sun, 09 Feb 2020 20:06:02 GMT

I get this question a lot, so I decided to include my opinion on it in the third edition of my book. My recommended settings from the book are below and are primarily geared to improve performance with a reasonable level of security for most organizations. This is most certainly a matter of opinion and I would be surprised if the following does not generate any debate:

Recommended IPSec VPN Settings

The following sections detail which VPN algorithm settings should be used to provide a reasonable level of IPSec VPN performance without sacrificing security. Please note that these recommendations are made primarily to improve performance, and also provide what I feel is a reasonable level of VPN security for most organizations.

Do not just blindly follow these recommendations; please perform a thorough risk analysis that includes any regulatory, legal, life safety, and privacy considerations that are relevant to your organization’s mission, and adjust these recommendations as needed for your specific situation.

IKE Protocol: V2 (Check Point Firewalls), IKE Protocol V1 for third-party VPNs
IKE Phase 1 Encryption: AES-256
IKE Phase 1 Data Integrity: SHA-256
IKE Phase 1 DH Group: 20 (384-bit ECP)
IKE Phase 1 SA Lifetime (minutes): 720
IKE Phase 2 Encryption: AES-GCM-128 (AES-NI present, otherwise AES-128)
IKE Phase 2 Data Integrity: SHA-256
IKE Phase 2 SA Lifetime (seconds): 3600
PFS: Disabled (Use DH Group 19 if PFS is required)
Use Aggressive Mode: Disabled
Support IP Compression: Disabled
VPN Tunnel Sharing (Domain-based VPN): “One VPN tunnel per subnet pair”
VPN Tunnel Sharing (Route-based VPN): “One VPN tunnel per Gateway pair”
Permanent Tunnels: (Check Point Firewalls Only) “On all tunnels in the community”
Permanent Tunnels in DPD Mode: Enabled for third-party peers, see sk108600: VPN Site-to-Site with 3rd party

Re: VPN Performance Question

Marcus_Smith — Thu, 10 Jun 2021 13:36:52 GMT

Hi Tim/Heiko,

Thanks for sharing this information. Very useful.

I have a couple of questions that I hope you can help with.

My community is the default one called "Remote Access". This type of community provides no option to configure Encryption settings. The Encryption options for this community have to be set under Global Properties, Remote Access, VPN - Authentication and the available settings in this area appear to be limited (I only see limited Diffie-Hellman groups).

If I do start to create a new mesh community I notice many more Encryption options available within the community settings for example Group 19 and 20.

If I want my VPN community to use these more secure methods do I need to migrate to a new commnutiy or am I missing something?

Thanks