This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Advisor
9 hours ago

Impact when disabling DES/3DES for Endpoint VPN clients?

Hi everyone!

I’d like to validate something with the community regarding legacy encryption algorithms in Remote Access VPN (C2S).

We are planning to disable DES and 3DES in both IKE Phase 1 and Phase 2 on our Check Point Remote Access VPN environment due to security hardening requirements.

Before proceeding, we want to understand whether this could impact users running the following client versions that we identified in production:

1.0.18.0
1.6
1.601.42
1.601.47
1.601.49
1.601.51
E85.30
E85.40
E86.00
E86.20
E86.50
E86.80
E87.00
E87.20
E87.31
E88.10
E88.20
E88.30
E88.40
E88.60
E88.63
E88.70
E88.72
E89.00
E89.10
E89.11
E89.20

Main questions:

  • Has anyone disabled DES/3DES in Remote Access VPN and experienced issues with older Endpoint Security VPN clients?
  • Are all E85+ clients expected to fully support AES-only configurations for both Phase 1 and Phase 2?
  • Is there any official documentation or SK/article that maps supported VPN encryption algorithms by Endpoint client version?
  • Besides checking the encryption suite, are there any additional compatibility validations you would recommend before disabling DES/3DES?

Our goal is to move toward stronger crypto standards without unexpectedly impacting legacy clients.

Any insights, field experience, or relevant documentation would be greatly appreciated.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
8 hours ago

You'd probably have to go back to Secure Client days (more than 20 years now) to find a client that doesn't support AES.
Any you find that don't should likely be upgraded to a supported version. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events