11-11-2017 03:09 PM
I was wondering if anyone had some good best practice recommendations for IPSec tunnel configurations. I’ve set up a lot of these in my time, but I’m realizing that I still don’t have a firm grasp over all these choices other than “make them match on both ends if you want them to work” and “more secure is better than less secure”.
Especially, for Crpyto Profiles. Is there any good reason to not just always go with the strongest algorithms, as long as they are supported by the peer? What about phase 1 vs phase two crypto choices (is there more/less reason to choose stronger protocols in one vs the other)? I have noticed the firewalls I’ve inherited have a numbere of tunnels with SHA1 and I’m thinking it would be a good idea to migrate those to at least SHA256, if not SHA512. Heck, a few are still using MD5 (not to mention 3DES for encryption) which is pretty insecure at this point if I’m not mistaken. What about performance impacts? For example, a PA 200 with a couple of tunnels vs a PA 3020 with perhaps 50 - 100 tunnels?
What are some good general recommendations concerning key lifetimes? I asked this question to PA Support this question and they suggested that phase 1 should always be longer than phase 2 and recommended 24 hours for phase 1 and 8 hours for phase 2. But I’m not sure what the rationale behind those suggestions is...
Finally, one thing I’ve seen is that the profiles for the environment I’ve inherited are mostly set with just single protocol choices (a separate profile for AES256-SHA1-NoPFS-8Hrs vs another profile for AES256-SHA256-DH2-24HRs). I was under the impression that the whole point of profiles was to define your supported options and their order of preference and then let the two peers negotiate which to use (a single profile that says AES256, SHA256 or SHA1 if that’s not supported, and DH2 or else no PFS, etc). Is there something I don’t know? Does negotiation tend to fail or introduce interoperability issues between different vendors? Or is this just a matter of the sensibilities of the network admin and how they like to manage things?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!