- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Info:
Security Manager / Gateway Environment R80.10
Endpoint Security VPN Client: E80.97
Hi,
I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability.
I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x.
Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?
I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined.
Some clarification and /or direction to the relevant resource would be much appreciated.
Thanks,
Jon
@PhoneBoy thanks for letting me know...out of curiosity, do you know if this is something which will be added in future versions of the Endpoint Security Clients?
Cheers,
Jon
Not aware of specific plans in this area.
If anyone knows, @Royi_Priov does.
You may also want to check in with your local Check Point office regarding this requirement.
Adding this support exists on our long term road map for the Endpoint VPN clients.
As @PhoneBoy wrote, contacting your local office to open an RFE can speed this up and prioritize it.
Thanks,
Royi.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY