VPN Site to Site Encryption Suite Best Practise

Mauro_Conoscian · ‎2019-09-24

Any suggestions about the best performance/security parameters to use in a Site to Site Encryption Suite configuration ? I would stress the phase 1 and leave the phase 2 lighter....in few words

Phase 1

Encryption Alghoritm --> AES256

Data Integrity --> SHA256

DH Group --> Group14

Phase 2

Encryption Alghoritm --> 3DES

Data Integrity --> SHA1

unless the other side peer complain 🐵

What do you think about it ?

Alex- · ‎2019-09-24

Avoid 3DES as it's computationally inefficient compared to AES, and AES-NI will give you much better performance.

SHA1 shouldn't be used anymore in favor of AES256+

G_W_Albrecht · ‎2019-09-24

Refer to sk105119 - Best Practices - VPN Performance and to sk104760 - ATRG: VPN Core. For a comparison of encryption algorithm speeds, refer to sk73980 - Relative speeds of algorithms for IPsec and SSL.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Danny · ‎2019-09-24

I recommend to differentiate between VPN Site-to-Site between Check Point gateways and with 3rd party VPN gateways.

Best practice settings (bold) for VPN with 3rd party gateways | Compatibility matrix

Are you a member of CheckMates?

VPN Site to Site Encryption Suite Best Practise