Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Pearson
Contributor

Site to Site VPN configuration

Hi everyone,

I was just wondering was the general feeling was about the phase 1/2 encryption protocols between a Checkpoint appliance and a third party device (Sonicwall, Draytec etc) in todays world?

I'm just looking at one now and these are the requested settings, which to me look a little outdated:

Phase 1

DH Group 2

3DES encryption

SHA1 integrity

Renegotiate IKE every 28800 seconds

 

Phase 2

3DES encryption

SHA1 integrity

Renegotiate IPsec every 3600 seconds

Thanks,

Steve

0 Kudos
2 Replies
Gojira
Collaborator
Collaborator

Hi Steve,

Those settings are indeed not recommended.

3des is less secure and less efficient than AES suites.

 

You could use anything from AES-256 + Sha2 and up.

 

Enable PFS  in phase 2 only if extreme security is needed

0 Kudos
CaseyB
Advisor

3DES is a no go for today's standards and SHA-1 is being phased out. I have been using the following for site-to-site VPNs with 3rd parties:

IKEv2

Phase1: AES-256 / SHA256 - Group 19 / 1440 minutes

Phase2: AES-GCM-256 / 3600 seconds

It would be nice to be able to use GCM in Phase1, but that option is not available currently. Ideally you want a minimum key size of 256 for everything. I would be curious to see what others recommend as well for encryption. 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events