Create a Post
Showing results for 
Search instead for 
Did you mean: 

s2s VPN settings

Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago.  This is all checkpoint <-> checkpoint equipment.  Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity.  Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?   

All versions are currently r81.10 hotfix 45


0 Kudos
2 Replies

Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP.  May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS.  These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.

Gateway Performance Optimization R81.20 Course
now available at

Thanks Tim, appreciate your advice.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events