This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPsec Site to Site Tunnel Crypto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPsec Site to Site Tunnel Crypto

cmateam
L3 Networker

‎07-23-2013 10:57 AM

All,

First, please forgive me if this has been asked before, I wasn't able to find anything conclusive with any good explanation.

Recently I renewed a couple of web server certificates and in doing so the CA recommended that I use SHA2 with a 256-bit message digest as SHA1 was known to have been cracked and was weak. This lead to some further digging on some of the crypto stuff for the PAN firewalls and noticed that a site-to-site IPsec tunnel I had setup nearly a year ago is using SHA1 (both are PAN firewalls). My current config is:

IKE Crypto is using:

  • Encryption - aes128, 3des
  • Authentication - sha1
  • DH Group - group2
  • Lifetime - 8 hours

IPsec Crypto is using:

  • ESP/AH - ESP
  • Encryption - aes128, 3des
  • Authentication - sha1
  • DH Group - group2
  • Lifetime - 1 hours

I kinda followed the 'book' based on PAN's documentation from a couple years ago, and some of the details are coming back to me, but what I am wondering if implementing some of the higher encryption/authentication standards can be done by stacking.  I believe I can do this on both sides with no problem, but what I am little fuzzy on is the DH group setting and does that need to be adjusted. I found this site that explained the details a little bit more: Help - IBM z/OS Management Facility.

Additionally what has been your experience with using AES256 over AES128 for encryption - any performance issues? (IPsec crypto also supports AES128 CCM16). And for Authentication SHA512 over SHA256?

Thanks for any help.

0 Likes Likes
3 REPLIES 3

tshiv
L4 Transporter

‎07-23-2013 11:59 AM

Hi,

   The DH group signifies the strength of the key. Higher the DH group, stronger is the key and hence more secure. Saying that, the higher the DH group more will be the processing time as the key size is larger. Below are the numbers:

  • DH group 1: 768-bit key
  • DH group 2: 1024-bit key
  • DH group 5: 1536-bit key

    If you you have enabled FIPS mode on the firewall and want to know what cipher suites are supported by the PA, go through the discussion on the following thread :

    The key size in the AES signifies the number of repetition cycles with each cycle consisting of finite processing steps to convert a plain text into a cipher text. The repetition cycles are more in AES256 ( 14 cycles) as compared to AES128 ( 10 cycles ). The additional 4 cycles can delay the processing time.

     If computing time for hash is not a concern, then SHA512 should be preferred. Note that more time to compute hash means more time to crack the hash. Hope this was helpful to you.

Regards

Tilak

ukhapre
L3 Networker

‎07-24-2013 06:40 PM

Hello, there had been issues seen with DH group set for cisco devices. Can you try setting up DH as no-pfs on both ends and check?

0 Likes Likes

cmateam
L3 Networker
In response to ukhapre

‎07-25-2013 09:41 AM

ukhapre,

In our site to site setup, we are not using and Cisco products. Both sides are PAN-2020s.

0 Likes Likes
  • 4176 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks