This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan_Griffi
Participant
‎2019-06-19 05:41 AM

R80.10 - Remote Access VPN - Endpoint Security Diffie-Hellman Support

Info:

Security Manager / Gateway Environment R80.10

Endpoint Security VPN Client: E80.97

 

Hi,

I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability. 

I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x. 

Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?

I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined. 

Some clarification and /or direction to the relevant resource would be much appreciated. 

Thanks,

Jon

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-06-23 02:39 PM

You're correct that our VPN clients currently do not support DH Group 19/20.
You can see a reference to it here: http://downloads.checkpoint.com/dc/download.htm?ID=60345
0 Kudos
Jonathan_Griffi
Participant
‎2019-06-25 07:03 AM
In response to PhoneBoy

@PhoneBoy thanks for letting me know...out of curiosity, do you know if this is something which will be added in future versions of the Endpoint Security Clients? 

Cheers,

 

Jon

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-25 11:51 AM
In response to Jonathan_Griffi

Not aware of specific plans in this area.
If anyone knows, @Royi_Priov does.
You may also want to check in with your local Check Point office regarding this requirement.

0 Kudos
Royi_Priov
Employee
Employee
‎2019-06-26 01:32 AM
In response to Jonathan_Griffi

Hi @Jonathan_Griffi 

Adding this support exists on our long term road map for the Endpoint VPN clients.

As @PhoneBoy wrote, contacting your local office to open an RFE can speed this up and prioritize it.

 

Thanks,

Royi.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Jonathan_Griffi
Participant
‎2019-06-26 03:08 AM
In response to Royi_Priov

@Royi_Priov  thanks for confirming. Much appreciated. 

Cheers,

 

Jon

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events