Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vilius
Explorer
Jump to solution

AES-GCM support - IPsec Phase1

Hello,

Checking R80.40 or R81 VPN administration guide i only see AES-128/256 for Site-to-site IPsec Phase 1 configuration. I believe that implies CBC. How about support for AES-256GCM in Phase1? Is it possible to support it by upgrading to some specific version or by enabling support somewhere under the hood?

I am receiving requests to negotiate GCM for both phases and actually one of the S2S remote party says they are stopping CBC support for IPSec. 

 

Thanks

 

1 Solution

Accepted Solutions
_Val_
Admin
Admin

At this point, we only support AES-GCM ciphers with Phase 2. If you need then with Phase 1, please open an RFE.

View solution in original post

8 Replies
_Val_
Admin
Admin

At this point, we only support AES-GCM ciphers with Phase 2. If you need then with Phase 1, please open an RFE.

Brad_Muller
Participant

We are seeing more and more vendors requiring AES-GCM in Phase 1. Does Check Point have any documentation that explains why they chose not to support it? It would be great to have some ammunition to fire back.

0 Kudos
Vilius
Explorer

There are references to CP implementation using and recommending NSA Suite-B cryptography. It is not helpful much, because Suite-B is now depreciated in favor of Commercial National Security Algorithm Suite (CNSA).  Quantum Computing Recommended Site-to-Site VPN configuration (checkpoint.com)

I did submit RFE through CP representative. Last update is that we can expect full AES-GCM support with next major release in 2024. Given usual time frame for version to be recommended and corporate upgrade cycles, this will be an issue for foreseeable future. 

 

0 Kudos
idants
Employee
Employee

We are considering to add it, I will update soon.

Thanks,

Idan Tsarfati

IPsec VPN  R&D group manager

0 Kudos
pulidan
Explorer

Idan,  We have a case open for this now in December of 2023.. please let us know when AES-GCM will be part of the release.  I am at R81.20 and have a Site-to-Site tunnel that will be going down if we do not have GCM support for Phase 1.  We'll simply have to buy a competitive product, and I've been loyal to Check Point for almost 26 years.  Please advise.

 

Thanks,

Dan

0 Kudos
Alex-
Leader Leader
Leader

We are seeing more requests to move VPN's to IKEv2 and AEAD suites only as well.Let's hope this functionality is underway.

0 Kudos
CaseyB
Advisor

I have been informed that GCM ciphers will be supported for Phase 1 in R82.

0 Kudos
idants
Employee
Employee

Correct, AES-GCM in phase will be supported in R82.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events