s2s VPN settings

D_TK · ‎2022-05-12

Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago. This is all checkpoint <-> checkpoint equipment. Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity. Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?

All versions are currently r81.10 hotfix 45

thanks

Timothy_Hall · ‎2022-05-12

Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP. May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS. These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

D_TK · ‎2022-05-12

Thanks Tim, appreciate your advice.

Are you a member of CheckMates?

s2s VPN settings