topic Re: VPN Site to Site Encryption Suite Best Practise in SASE and Remote Access

VPN Site to Site Encryption Suite Best Practise

Mauro_Conoscian — Tue, 24 Sep 2019 14:15:05 GMT

Any suggestions about the best performance/security parameters to use in a Site to Site Encryption Suite configuration ? I would stress the phase 1 and leave the phase 2 lighter....in few words

Phase 1

Encryption Alghoritm --> AES256

Data Integrity --> SHA256

DH Group --> Group14

Phase 2

Encryption Alghoritm --> 3DES

Data Integrity --> SHA1

unless the other side peer complain 🐵

What do you think about it ?

Re: VPN Site to Site Encryption Suite Best Practise

Alex- — Tue, 24 Sep 2019 14:25:05 GMT

Avoid 3DES as it's computationally inefficient compared to AES, and AES-NI will give you much better performance.

SHA1 shouldn't be used anymore in favor of AES256+

Re: VPN Site to Site Encryption Suite Best Practise

G_W_Albrecht — Tue, 24 Sep 2019 14:33:49 GMT

Refer to sk105119 - Best Practices - VPN Performance and to sk104760 - ATRG: VPN Core. For a comparison of encryption algorithm speeds, refer to sk73980 - Relative speeds of algorithms for IPsec and SSL.

Re: VPN Site to Site Encryption Suite Best Practise

Danny — Tue, 24 Sep 2019 14:44:35 GMT

I recommend to differentiate between VPN Site-to-Site between Check Point gateways and with 3rd party VPN gateways.

Best practice settings (bold) for VPN with 3rd party gateways | Compatibility matrix