Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mauro_Conoscian
Participant

VPN Site to Site Encryption Suite Best Practise

Any suggestions about the best performance/security parameters to use in a Site to Site Encryption Suite configuration ? I would stress the phase 1 and leave the phase 2 lighter....in few words

Phase 1

               Encryption Alghoritm -->  AES256

               Data Integrity --> SHA256

               DH Group     --> Group14

Phase 2

               Encryption Alghoritm -->  3DES

               Data Integrity --> SHA1

unless the other side peer complain 🐵

What do you think about it ?

 

0 Kudos
3 Replies
Alex-
Leader Leader
Leader

Avoid 3DES as it's computationally inefficient compared to AES, and AES-NI will give you much better performance.

SHA1 shouldn't be used anymore in favor of AES256+

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Refer to sk105119 - Best Practices - VPN Performance and to sk104760 - ATRG: VPN CoreFor a comparison of encryption algorithm speeds, refer to sk73980 - Relative speeds of algorithms for IPsec and SSL.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Danny
Champion Champion
Champion

I recommend to differentiate between VPN Site-to-Site between Check Point gateways and with 3rd party VPN gateways.

Best practice settings (bold) for VPN with 3rd party gateways | Compatibility matrix

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events