This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CP-NDA
Collaborator
‎2025-03-26 05:41 AM
Jump to solution

Improving IPSEC Encryption settings

Hi,

 

I have a few questions about the existing encryption settings in R81.20.

We still have some communities using AES256 or AES128 and SHA1. We would like to improve security and are considering moving to:

Suite-B-GCM-256 default settings:

  • AES-GCM-256
  • SHA-384
  • EC DH Group 20

Suite-B-GCM-128 default settings:

  • AES-GCM-128
  • SHA-256
  • EC DH Group 19

I read but it's not clear to me.

sk73980 - Relative speeds of algorithms for IPsec and SSL

Solved: R80.x Performance Tuning Tip - AES-NI - Page 2 - Check Point CheckMates

 

Do both suites of protocols support AES-NI?

Also, are the same protocols used in Phase 1 and Phase 2 when using the pre-defined suites?

 

Do you have any other suggestions or recommendations?

 

Thank you,

 

Nicolas

 

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-03-26 11:22 AM
Jump to solution

As far as I know, they should be covered in AES-NI and even handled in SecureXL.

View solution in original post

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-26 07:48 PM
Jump to solution

Assuming the processor architecture of your appliance supports AES-NI, yes you want to use the GCM variants of AES for IPSec Phase 2.  Use of the AES-GCM variants is supported both by SecureXL (in the fastpath) and the Firewall Worker cores (Medium & slowpath).  Here are the relevant pages from my Gateway Performance Optimization course explaining this:

aes-ni1.pngaes-ni2.png

 

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2025-03-26 11:22 AM
Jump to solution

As far as I know, they should be covered in AES-NI and even handled in SecureXL.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-26 07:48 PM
Jump to solution

Assuming the processor architecture of your appliance supports AES-NI, yes you want to use the GCM variants of AES for IPSec Phase 2.  Use of the AES-GCM variants is supported both by SecureXL (in the fastpath) and the Firewall Worker cores (Medium & slowpath).  Here are the relevant pages from my Gateway Performance Optimization course explaining this:

aes-ni1.pngaes-ni2.png

 

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
CP-NDA
Collaborator
‎2025-03-27 12:58 AM
In response to Timothy_Hall
Jump to solution

Thank you

Really clear !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events