https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56691#M12203 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11457">@Jonathan_Griffi</a>&nbsp;</P> <P>Adding this support exists on our long term road map for the Endpoint VPN clients.</P> <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote, contacting your local office to open an RFE can speed this up and prioritize it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Royi.</P> Wed, 26 Jun 2019 08:32:56 GMT Royi_Priov 2019-06-26T08:32:56Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56177#M12199 <P>Info:</P><P>Security Manager / Gateway Environment R80.10</P><P>Endpoint Security VPN Client: E80.97</P><P>&nbsp;</P><P>Hi,</P><P>I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability.&nbsp;</P><P>I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x.&nbsp;</P><P>Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?</P><P>I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined.&nbsp;</P><P>Some clarification and /or direction to the relevant resource would be much appreciated.&nbsp;</P><P>Thanks,</P><P>Jon</P> Wed, 19 Jun 2019 12:41:05 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56177#M12199 Jonathan_Griffi 2019-06-19T12:41:05Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56489#M12200 You're correct that our VPN clients currently do not support DH Group 19/20.<BR />You can see a reference to it here: <A href="http://downloads.checkpoint.com/dc/download.htm?ID=60345" target="_blank">http://downloads.checkpoint.com/dc/download.htm?ID=60345</A> Sun, 23 Jun 2019 21:39:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56489#M12200 PhoneBoy 2019-06-23T21:39:50Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56624#M12201 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;thanks for letting me know...out of curiosity, do you know if this is something which will be added in future versions of the Endpoint Security Clients?&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Jon</P> Tue, 25 Jun 2019 14:03:41 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56624#M12201 Jonathan_Griffi 2019-06-25T14:03:41Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56634#M12202 <P>Not aware of specific plans in this area.<BR />If anyone knows,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;does.<BR />You may also want to check in with your local Check Point office regarding this requirement.</P> Tue, 25 Jun 2019 18:51:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56634#M12202 PhoneBoy 2019-06-25T18:51:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56691#M12203 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11457">@Jonathan_Griffi</a>&nbsp;</P> <P>Adding this support exists on our long term road map for the Endpoint VPN clients.</P> <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote, contacting your local office to open an RFE can speed this up and prioritize it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Royi.</P> Wed, 26 Jun 2019 08:32:56 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56691#M12203 Royi_Priov 2019-06-26T08:32:56Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56707#M12204 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp; thanks for confirming. Much appreciated.&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Jon</P> Wed, 26 Jun 2019 10:08:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/R80-10-Remote-Access-VPN-Endpoint-Security-Diffie-Hellman/m-p/56707#M12204 Jonathan_Griffi 2019-06-26T10:08:48Z