This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best Practice IPSec Tunnels

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Best Practice IPSec Tunnels

locampo
L2 Linker

‎11-11-2017 03:09 PM

I was wondering if anyone had some good best practice recommendations for IPSec tunnel configurations. I’ve set up a lot of these in my time, but I’m realizing that I still don’t have a firm grasp over all these choices other than “make them match on both ends if you want them to work” and “more secure is better than less secure”.

 

Especially, for Crpyto Profiles. Is there any good reason to not just always go with the strongest algorithms, as long as they are supported by the peer? What about phase 1 vs phase two crypto choices (is there more/less reason to choose stronger protocols in one vs the other)? I have noticed the firewalls I’ve inherited have a numbere of tunnels with SHA1 and I’m thinking it would be a good idea to migrate those to at least SHA256, if not SHA512. Heck, a few are still using MD5 (not to mention 3DES for encryption) which is pretty insecure at this point if I’m not mistaken. What about performance impacts? For example, a PA 200 with a couple of tunnels vs a PA 3020 with perhaps 50 - 100 tunnels? 

 

What are some good general recommendations concerning key lifetimes? I asked this question to PA Support this question and they suggested that phase 1 should always be longer than phase 2 and recommended 24 hours for phase 1 and 8 hours for phase 2. But I’m not sure what the rationale behind those suggestions is... 

 

Finally, one thing I’ve seen is that the profiles for the environment I’ve inherited are mostly set with just single protocol choices (a separate profile for AES256-SHA1-NoPFS-8Hrs vs another profile for AES256-SHA256-DH2-24HRs). I was under the impression that the whole point of profiles was to define your supported options and their order of preference and then let the two peers negotiate which to use (a single profile that says AES256, SHA256 or SHA1 if that’s not supported, and DH2 or else no PFS, etc). Is there something I don’t know? Does negotiation tend to fail or introduce interoperability issues between different vendors? Or is this just a matter of the sensibilities of the network admin and how they like to manage things?

 

 

0 Likes Likes
1 REPLY 1

locampo
L2 Linker

‎11-15-2017 08:04 AM

Nobody?

0 Likes Likes
  • 3075 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks