VPN Best Practices

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
ce1028
L3 Networker

VPN Best Practices

I'm looking to make some modifications to Site-to-Site VPN IKE-Gateway/IPSec profiles and GlobalProtect IPSec Crypto Profile.

 

For GlobalProtect IPSec,  I'd like to switch from aes-128-cbc to GCM.  I know GCM is more secure and has better performance but what I'm unsure about is if I need aes-256-gcm or is aes-128-gcm acceptable.  

 

For the site-to-site, both IKE and IPSec Crypto are both using aes-256-cbc. Should I be using aes-256-gcm or aes-128-gcm?   What DH groups are acceptable to use with GCM? I currently have 14 and 5 in my list

 

I know one option is to add both and set the order to most secure, but just wondering if aes-256-gcm is overkill?  

 

One last question, for globalprotect, is there a way to see what encryption the client is using?  For instance, if I added aes-128-gcm and left aes-128-cbc as a second option, is there a command to see what was negotiated?


Accepted Solutions
OtakarKlier
Cyber Elite

Hello,

So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.

 

Hope that helps.

View solution in original post


All Replies
OtakarKlier
Cyber Elite

Hello,

So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.

 

Hope that helps.

View solution in original post

ce1028
L3 Networker

Thanks for the response.

 

You mentioned don't set an order, but I believe the first one listed would be used?  So if aes-128-gcm was at the top of the list, then aes-gcm-256 would never be used?

OtakarKlier
Cyber Elite

So the answer there is it depends. Some systems first try the highest level of security before moving down the list until one is negotiated. You can force the setting by removing the 128 option and only having 256 as the option.

 

Hope that makes sense.

ce1028
L3 Networker

thanks @OtakarKlier 

 

All my VPNs are Palo to Palo, so I should be okay.  I was worried about encryption overhead causing performance issues by going too high with aes-256

 

I'm not in a government or finance sector, where I have stringent rules

OtakarKlier
Cyber Elite

Understandable. However if your PAN's are running low CPU's now. bumping it up shouldnt hurt. 128bit is still within FIPS standards.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!