Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

R80.10 - Remote Access VPN - Endpoint Security Diffie-Hellman Support

Info:

Security Manager / Gateway Environment R80.10

Endpoint Security VPN Client: E80.97

 

Hi,

I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability. 

I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x. 

Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?

I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined. 

Some clarification and /or direction to the relevant resource would be much appreciated. 

Thanks,

Jon

0 Kudos
5 Replies
Highlighted
Admin
Admin

You're correct that our VPN clients currently do not support DH Group 19/20.
You can see a reference to it here: http://downloads.checkpoint.com/dc/download.htm?ID=60345
0 Kudos
Highlighted

@PhoneBoy thanks for letting me know...out of curiosity, do you know if this is something which will be added in future versions of the Endpoint Security Clients? 

Cheers,

 

Jon

0 Kudos
Highlighted
Admin
Admin

Not aware of specific plans in this area.
If anyone knows, @Royi_Priov does.
You may also want to check in with your local Check Point office regarding this requirement.

0 Kudos
Highlighted
Employee+
Employee+

Hi @Jonathan_Griffi 

Adding this support exists on our long term road map for the Endpoint VPN clients.

As @PhoneBoy wrote, contacting your local office to open an RFE can speed this up and prioritize it.

 

Thanks,

Royi.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Highlighted

@Royi_Priov  thanks for confirming. Much appreciated. 

Cheers,

 

Jon

0 Kudos