Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8452
Views
5
Helpful
1
Replies

VPN Proposals Best Practice

Go to solution
Mokhalil82
Level 4
Level 4

‎04-19-2018 08:13 AM - edited ‎03-12-2019 05:13 AM

Hi

We currently have site to site VPNs to various 3rd parties. I am in the process of reviewing the current proposals and updating these. 

Currently we use IKEV1, aes256, sha-1, dh group 5, lifetime 86400, no pfs

I am planning to use IKEV2, aes256, sha256, dh group 21, lifetime 28800, pfs group 5

 

What are the industry best practices for a standard VPN tunnel at this time? I want to have a generic template but then also tighten the proposal where required.

 

Am I right in thinking this maybe depends on the 3rd party type and firewall resource, or should it be go for the best as long as there is firewall resource available and the other end supports it?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-19-2018 08:28 AM

Here are the Cisco recommended encryption algorithms:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

I believe the recommended settings are Suite-B-GCM:

https://tools.ietf.org/html/rfc6379

If the VPN peer supports it and there is no performance problem, I would go with the recommended settings.

 

HTH

Bogdan

View solution in original post

1 Reply 1

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-19-2018 08:28 AM

Here are the Cisco recommended encryption algorithms:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

I believe the recommended settings are Suite-B-GCM:

https://tools.ietf.org/html/rfc6379

If the VPN peer supports it and there is no performance problem, I would go with the recommended settings.

 

HTH

Bogdan

Customers Also Viewed These Support Documents