Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Collaborator

s2s VPN settings

Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago.  This is all checkpoint <-> checkpoint equipment.  Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity.  Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?   

All versions are currently r81.10 hotfix 45

thanks 

0 Kudos
2 Replies
Timothy_Hall
Champion
Champion

Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP.  May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS.  These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
D_TK
Collaborator

Thanks Tim, appreciate your advice.

0 Kudos