04-19-2018 07:27 AM - edited 03-05-2019 10:18 AM
Hi
I am looking to update our site to site VPN template for our 3rd parties that connect in for support purposes. Currently we use ikev1. I want to update and start using ikev2 for any new connection.
What are the best recommended or standard practice for the Phase 1 & 2 proposals for the average VPN?
We currently use aes-256, sha, dh group 5, lifetime 86400, no pfs
I am looking to use aes-256, sha256, dh group 21, lifetime 86400, pfs group 5
Thanks
Solved! Go to Solution.
04-19-2018 09:58 AM
Hi,
Your choices look ok. I use this page for reference when choosing algorithms for VPNs, beware the 3rd party may not support your chosen algorithms.
You could chose to use aes-gcm (this is an encryption and integrity algorithm).
You don't mention anything about authentication (PSK/Certs), I assume you'll use PSK for 3rd party VPNs. If you do, note you can use asymetric PSK (one PSK for local and another PSK for the remote peer).
PFS might be overkill, it depends on how sensitive the data you are protecting is.
HTH
04-19-2018 09:58 AM
Hi,
Your choices look ok. I use this page for reference when choosing algorithms for VPNs, beware the 3rd party may not support your chosen algorithms.
You could chose to use aes-gcm (this is an encryption and integrity algorithm).
You don't mention anything about authentication (PSK/Certs), I assume you'll use PSK for 3rd party VPNs. If you do, note you can use asymetric PSK (one PSK for local and another PSK for the remote peer).
PFS might be overkill, it depends on how sensitive the data you are protecting is.
HTH
04-19-2018 11:49 PM
yeah sha-1 is a no no, check your ikev2 transform sets as well, and consider deleted all that contain sha1 and replace by sh256 has and DH group5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide