Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcus_Smith
Participant

What are the recommended Encryption Settings for "Remote Access"?

What are the recommended Encryption Settings for "Remote Access"?

Hi all, I've read lots of SK articles and posts such as the following but I've still yet to understand exactly what the recommended settings for Remote Access should be. A lot of these documents\posts appear to be referring to IPSEC recommendations, which has more encryption options than Remote Access.

I have looked at posts such as the below and the preferred Encryption phase settings don't appear to be available for Remote Access.

Relative speeds of algorithms for IPsec and SSL (checkpoint.com)

Solved: VPN Performance Question - Check Point CheckMates

It appears the highest Diffie-Hellman Group available for Remote Access Phase 1 is Group 14 (2048)?

As per this post from 2019? R80.10 - Remote Access VPN - Endpoint Security Dif... - Check Point CheckMates

How does this look?

Phase 1

  • IKE Phase 1 - AES-256
  • Use Data Integrity - SHA256
  • Use Diffie-Hellman group - Group 14 (2048 bit)

Phase 2

  • AES-256
  • Data Integrity - SHA256
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

The answer "depends" on whether you're allowing backward compatible clients to connect or not.
The defaults are defined with backward compatibility in mind and can be adjusted if this is not a requirement.

Marcus_Smith
Participant

Thanks for the reply.  

Under Global Properties Remote Access "Support Legacy Authentication for SC (hybrid mode)" and "Support Legacy EAP" is ticked.  However, on the Gateways under VPN Clients "Allow older clients to connect to this gateway" is unticked.

If I deselect the Global Properties options are you saying additional Encryption algorithms will be available?  

the_rock
Mentor
Mentor

I could be wrong, but I do not believe if you unselect that additional options will be available.

Marcus_Smith
Participant

I think your correct.

If you look in your Management, am I correct that the highest option for IKE Phase one Diffie-Hellman group is 14?  

And I don't believe for Remote Access you have an option to choose the Phase 2 Diffie-Hellman group? 

 

Thanks

 

0 Kudos
the_rock
Mentor
Mentor

Im pretty positive that is correct...I recall once I was helping customer set up site to site vpn tunnel and Cisco had sha-512 option, but CP did not. I know thats finally available in R81, which is great, since its much more secure.

0 Kudos