Who rated this post

Just fired up a copy of R82 GA and was disappointed to see the default IPSec 3DES/SHA1 enforced settings for all Remote Access VPN clients are still there (also still with only DH Group 2 MODP allowed by default).  Kind of odd considering the default IKE/Phase1 hash algorithm for site-to-site VPN communities was updated from SHA1 to SHA384 for R82 (and the default DH group was updated from Group 2 to Group 15 MODP).  Looks like R82 site-to-site default for P2/IPSec is AES-GCM-128 which is perfectly fine.

I understand the need for backward compatibility here, but if customers are still running Remote Access VPN software (which is obviously security-oriented) that is so old it does not support AES or SHA256/SHA384, then they deserve to get broken.