VPN Best Practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN Best Practices

L4 Transporter

I'm looking to make some modifications to Site-to-Site VPN IKE-Gateway/IPSec profiles and GlobalProtect IPSec Crypto Profile.

 

For GlobalProtect IPSec,  I'd like to switch from aes-128-cbc to GCM.  I know GCM is more secure and has better performance but what I'm unsure about is if I need aes-256-gcm or is aes-128-gcm acceptable.  

 

For the site-to-site, both IKE and IPSec Crypto are both using aes-256-cbc. Should I be using aes-256-gcm or aes-128-gcm?   What DH groups are acceptable to use with GCM? I currently have 14 and 5 in my list

 

I know one option is to add both and set the order to most secure, but just wondering if aes-256-gcm is overkill?  

 

One last question, for globalprotect, is there a way to see what encryption the client is using?  For instance, if I added aes-128-gcm and left aes-128-cbc as a second option, is there a command to see what was negotiated?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.

 

Hope that helps.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.

 

Hope that helps.

Thanks for the response.

 

You mentioned don't set an order, but I believe the first one listed would be used?  So if aes-128-gcm was at the top of the list, then aes-gcm-256 would never be used?

So the answer there is it depends. Some systems first try the highest level of security before moving down the list until one is negotiated. You can force the setting by removing the 128 option and only having 256 as the option.

 

Hope that makes sense.

thanks @OtakarKlier 

 

All my VPNs are Palo to Palo, so I should be okay.  I was worried about encryption overhead causing performance issues by going too high with aes-256

 

I'm not in a government or finance sector, where I have stringent rules 🙂

Understandable. However if your PAN's are running low CPU's now. bumping it up shouldnt hurt. 128bit is still within FIPS standards.

  • 1 accepted solution
  • 4123 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!