Solved: Best Practice for VPN Proposals

Mokhalil82 · ‎04-19-2018

Hi

I am looking to update our site to site VPN template for our 3rd parties that connect in for support purposes. Currently we use ikev1. I want to update and start using ikev2 for any new connection.

What are the best recommended or standard practice for the Phase 1 & 2 proposals for the average VPN?

We currently use aes-256, sha, dh group 5, lifetime 86400, no pfs

I am looking to use aes-256, sha256, dh group 21, lifetime 86400, pfs group 5

Thanks

Rob Ingram · ‎04-19-2018

Hi,

Your choices look ok. I use this page for reference when choosing algorithms for VPNs, beware the 3rd party may not support your chosen algorithms.

You could chose to use aes-gcm (this is an encryption and integrity algorithm).

You don't mention anything about authentication (PSK/Certs), I assume you'll use PSK for 3rd party VPNs. If you do, note you can use asymetric PSK (one PSK for local and another PSK for the remote peer).

PFS might be overkill, it depends on how sensitive the data you are protecting is.

HTH

View solution in original post

Rob Ingram · ‎04-19-2018

Hi,

Your choices look ok. I use this page for reference when choosing algorithms for VPNs, beware the 3rd party may not support your chosen algorithms.

You could chose to use aes-gcm (this is an encryption and integrity algorithm).

You don't mention anything about authentication (PSK/Certs), I assume you'll use PSK for 3rd party VPNs. If you do, note you can use asymetric PSK (one PSK for local and another PSK for the remote peer).

PFS might be overkill, it depends on how sensitive the data you are protecting is.

HTH

Dennis Mink · ‎04-19-2018

yeah sha-1 is a no no, check your ikev2 transform sets as well, and consider deleted all that contain sha1 and replace by sh256 has and DH group5

Please remember to rate useful posts, by clicking on the stars below.