This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Jonathan_Griffi
Participant
‎2019-06-19 05:41 AM

R80.10 - Remote Access VPN - Endpoint Security Diffie-Hellman Support

Info:

Security Manager / Gateway Environment R80.10

Endpoint Security VPN Client: E80.97

 

Hi,

I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability. 

I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x. 

Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?

I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined. 

Some clarification and /or direction to the relevant resource would be much appreciated. 

Thanks,

Jon

0 Kudos
Reply
5 Replies
PhoneBoy
Admin
Admin
‎2019-06-23 02:39 PM

You're correct that our VPN clients currently do not support DH Group 19/20.
You can see a reference to it here: http://downloads.checkpoint.com/dc/download.htm?ID=60345
0 Kudos
Reply
Jonathan_Griffi
Participant
‎2019-06-25 07:03 AM
In response to PhoneBoy

@PhoneBoy thanks for letting me know...out of curiosity, do you know if this is something which will be added in future versions of the Endpoint Security Clients? 

Cheers,

 

Jon

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-06-25 11:51 AM
In response to Jonathan_Griffi

Not aware of specific plans in this area.
If anyone knows, @Royi_Priov does.
You may also want to check in with your local Check Point office regarding this requirement.

0 Kudos
Reply
Royi_Priov
Employee+
Employee+
‎2019-06-26 01:32 AM
In response to Jonathan_Griffi

Hi @Jonathan_Griffi 

Adding this support exists on our long term road map for the Endpoint VPN clients.

As @PhoneBoy wrote, contacting your local office to open an RFE can speed this up and prioritize it.

 

Thanks,

Royi.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Reply
Jonathan_Griffi
Participant
‎2019-06-26 03:08 AM
In response to Royi_Priov

@Royi_Priov  thanks for confirming. Much appreciated. 

Cheers,

 

Jon

0 Kudos
Reply