cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8945
Views
5
Helpful
1
Replies

VPN Proposals Best Practice

Mokhalil82
Level 4
Level 4

Hi

We currently have site to site VPNs to various 3rd parties. I am in the process of reviewing the current proposals and updating these. 

Currently we use IKEV1, aes256, sha-1, dh group 5, lifetime 86400, no pfs

I am planning to use IKEV2, aes256, sha256, dh group 21, lifetime 28800, pfs group 5

 

What are the industry best practices for a standard VPN tunnel at this time? I want to have a generic template but then also tighten the proposal where required.

 

Am I right in thinking this maybe depends on the 3rd party type and firewall resource, or should it be go for the best as long as there is firewall resource available and the other end supports it?

1 Accepted Solution

Accepted Solutions

Bogdan Nita
VIP Alumni
VIP Alumni

Here are the Cisco recommended encryption algorithms:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

I believe the recommended settings are Suite-B-GCM:

https://tools.ietf.org/html/rfc6379

If the VPN peer supports it and there is no performance problem, I would go with the recommended settings.

 

HTH

Bogdan

View solution in original post

1 Reply 1

Bogdan Nita
VIP Alumni
VIP Alumni

Here are the Cisco recommended encryption algorithms:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

I believe the recommended settings are Suite-B-GCM:

https://tools.ietf.org/html/rfc6379

If the VPN peer supports it and there is no performance problem, I would go with the recommended settings.

 

HTH

Bogdan