Create a Post
Showing results for 
Search instead for 
Did you mean: 

Site to Site VPN configuration

Hi everyone,

I was just wondering was the general feeling was about the phase 1/2 encryption protocols between a Checkpoint appliance and a third party device (Sonicwall, Draytec etc) in todays world?

I'm just looking at one now and these are the requested settings, which to me look a little outdated:

Phase 1

DH Group 2

3DES encryption

SHA1 integrity

Renegotiate IKE every 28800 seconds


Phase 2

3DES encryption

SHA1 integrity

Renegotiate IPsec every 3600 seconds



0 Kudos
2 Replies

Hi Steve,

Those settings are indeed not recommended.

3des is less secure and less efficient than AES suites.


You could use anything from AES-256 + Sha2 and up.


Enable PFS  in phase 2 only if extreme security is needed

0 Kudos

3DES is a no go for today's standards and SHA-1 is being phased out. I have been using the following for site-to-site VPNs with 3rd parties:


Phase1: AES-256 / SHA256 - Group 19 / 1440 minutes

Phase2: AES-GCM-256 / 3600 seconds

It would be nice to be able to use GCM in Phase1, but that option is not available currently. Ideally you want a minimum key size of 256 for everything. I would be curious to see what others recommend as well for encryption. 



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events