Solved: Impact when disabling DES/3DES for Endpoint VPN cl...

jennyado

Hi everyone!

I’d like to validate something with the community regarding legacy encryption algorithms in Remote Access VPN (C2S).

We are planning to disable DES and 3DES in both IKE Phase 1 and Phase 2 on our Check Point Remote Access VPN environment due to security hardening requirements.

Before proceeding, we want to understand whether this could impact users running the following client versions that we identified in production:

1.0.18.0
1.6
1.601.42
1.601.47
1.601.49
1.601.51
E85.30
E85.40
E86.00
E86.20
E86.50
E86.80
E87.00
E87.20
E87.31
E88.10
E88.20
E88.30
E88.40
E88.60
E88.63
E88.70
E88.72
E89.00
E89.10
E89.11
E89.20

Main questions:

Has anyone disabled DES/3DES in Remote Access VPN and experienced issues with older Endpoint Security VPN clients?
Are all E85+ clients expected to fully support AES-only configurations for both Phase 1 and Phase 2?
Is there any official documentation or SK/article that maps supported VPN encryption algorithms by Endpoint client version?
Besides checking the encryption suite, are there any additional compatibility validations you would recommend before disabling DES/3DES?

Our goal is to move toward stronger crypto standards without unexpectedly impacting legacy clients.

Any insights, field experience, or relevant documentation would be greatly appreciated.

PhoneBoy

You'd probably have to go back to Secure Client days (more than 20 years now) to find a client that doesn't support AES.
Any you find that don't should likely be upgraded to a supported version.

View solution in original post

PhoneBoy

You'd probably have to go back to Secure Client days (more than 20 years now) to find a client that doesn't support AES.
Any you find that don't should likely be upgraded to a supported version.

the_rock

I totally get the point Phoneboy made.

Best,
Andy
"Have a great day and if its not, change it"

ccsjnw

I did extensive research on this topic some time ago... I did lots of testing, not just reading...

If you are using CheckPoint Remote Access VPN Client (or full Harmony EndPoint Client) E80.65 or newer then you can ignore the dire warnings in the SmatConsole about needing DH Group 2 and go with the settings below (you can safely disable everything else):

Most compatible (Gaia R81.xx, R82.xx):

Phase 1:
Encryption Algorithm: AES-256
Data Integrity: SHA256
DH Group: 14

Phase 2:
Encryption Algorithm: AES-256
Data Integrity: SHA256

(Capsule connect for iOS doesn't support SHA384 or SHA512. SHA256 works on everything)

Version E88 of the Remote Access Client and newer allow you to use DH Groups 15, 19, 20 and 21.
(DH Groups 22, 23 & 24 should not be used as they use potentially unsafe primes).

For extra Security, you can use DH Group 21 with R82 and later version of Check Point (Gaia).
(I found no downside at all to using: DH Group 21 when the gateway and endpoint support it).

Note that even the newest (E89.10) Windows Remote Access VPN Client still needs the Registry gludge to enable IKEv2.
When IKEv2 is enabled on the Windows Client, it can't fallback to IKE v1 (Enabling IKEv2, turns off IKEv1).

Capsule Connect for iOS works with IKEv1 or IKEv2 transparently. Windows Remote Access VPN clients do not.

Better security (for Gaia R82 and later) and still offering very broad compatibility:

Phase 1:
Encryption Algorithm: AES-256
Data Integrity: SHA256
DH Group: 21

Phase 2:
Encryption Algorithm: AES-256
Data Integrity: SHA256

One day (I hope) CheckPoint will remove the need to use the Registry Hack for enabling IKEv2 support in the Windows Remote Access VPN Client...

The encryption defaults really should be a lot better than they are in 2026... They keep saying they are going to overhaul the defaults, but it didn't happen in the R82 or R82.10 release sadly.

Are you a member of CheckMates?

Impact when disabling DES/3DES for Endpoint VPN clients?