This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Collaborator
‎2022-05-12 11:21 AM

s2s VPN settings

Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago.  This is all checkpoint <-> checkpoint equipment.  Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity.  Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?   

All versions are currently r81.10 hotfix 45

thanks 

Preview file
42 KB
0 Kudos
2 Replies
Timothy_Hall
Champion
Champion
‎2022-05-12 02:34 PM

Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP.  May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS.  These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
D_TK
Collaborator
‎2022-05-12 03:54 PM
In response to Timothy_Hall

Thanks Tim, appreciate your advice.

0 Kudos