04-12-2019 01:27 AM
When configuring VPN to a 3rd party vendor and you are given the required settings for IPsec profile as sha1 or sha256 only, however on the Palo Alto firewall we have the option to use cbc or gcm, e.g. aes-256-cbc and aes-256-gcm.
In the past I used to add both to the profile, but I need to automate bulk VPN creation and it will be easier to select just one.
Can you please advise if we should use cbc or gcm for VPN to Cisco ASA, Juniper SRX, Juniper SSG, Checkpoint and Fortinet?
04-13-2019 04:54 AM
I doubt gcm will work with all the devices on your list.
eg. gcm is newer. and ssg devices are EOL and very old.
new features have stopped releasing on them a while ago(and even the longest supported models are end of support beginning 2020 I believe)
but support of GCM will also be mainly dependant on software/os as well.
so it's hard to just say yes checkpoint will support gcm.
(fyi I believe checkpoint software versions currently still supported( eg. r77.30 and up) all support gcm.)
for ipsec vpn as I see it there are 2 scenarios:
either you also manage the remote side hardware. in which case you can upgrade the devices to support gcm yourself. or have to determine via the device documentation if gcm is supported)
or this is done by a 3rd party and then you need to ask them if their devices support gcm.
GCM has more performance and is more secure(if implemented correctly) however that does not mean that CBC is totally insecure.
on the flipside GCM usually requires a bit more mem/cpu to do. so if your pa or the remote hardware is already barely running with highcpu/mem all teh time. it may also be a reason to not use GCM.
eg.
party a might say yes: because they have an r80.20 checkpoint that is correctly sized
party b might say no: because the are running r75 checkpoint(EOS) and don't want to upgrade
party c might say yes but we don't do it: because they are running r80.20 but they have an undersized firewall running 95% mem all the time.
04-13-2019 07:47 AM
@TommieVanHove wrote:I doubt gcm will work with all the devices on your list.
@BatD as Tommie wrote it strongly depends on the installed OS. Some of them do support it, some of them don't, some of them only support it with IKEv2 where some issues could occur if you set IKE mode to "prefer IKEv2".
So in theory it will work if you simply offer both algorithms but in actual depmoyments there might be bugs ...
cbc will definately work with all of them and almost no matter what OS version installed
04-12-2019 12:09 PM - edited 04-12-2019 02:50 PM
Hi @BatD
For automating these tasks to whatever vendor you can imagine: use CBC to be (more) sure that it will work.
Edit: ... but when you already automate it, why not using both as GCM is more secure?
04-12-2019 05:14 PM
Does using GCM will cause anyoverhead on the PA?
04-13-2019 12:37 AM
@Remo Thank you for the response. Are you saying that either cbc and gcm will work with any of the vendors above? I am having that issue all the time when seting up a vpn to a 3rd party vendor.
04-13-2019 04:54 AM
I doubt gcm will work with all the devices on your list.
eg. gcm is newer. and ssg devices are EOL and very old.
new features have stopped releasing on them a while ago(and even the longest supported models are end of support beginning 2020 I believe)
but support of GCM will also be mainly dependant on software/os as well.
so it's hard to just say yes checkpoint will support gcm.
(fyi I believe checkpoint software versions currently still supported( eg. r77.30 and up) all support gcm.)
for ipsec vpn as I see it there are 2 scenarios:
either you also manage the remote side hardware. in which case you can upgrade the devices to support gcm yourself. or have to determine via the device documentation if gcm is supported)
or this is done by a 3rd party and then you need to ask them if their devices support gcm.
GCM has more performance and is more secure(if implemented correctly) however that does not mean that CBC is totally insecure.
on the flipside GCM usually requires a bit more mem/cpu to do. so if your pa or the remote hardware is already barely running with highcpu/mem all teh time. it may also be a reason to not use GCM.
eg.
party a might say yes: because they have an r80.20 checkpoint that is correctly sized
party b might say no: because the are running r75 checkpoint(EOS) and don't want to upgrade
party c might say yes but we don't do it: because they are running r80.20 but they have an undersized firewall running 95% mem all the time.
04-13-2019 07:47 AM
@TommieVanHove wrote:I doubt gcm will work with all the devices on your list.
@BatD as Tommie wrote it strongly depends on the installed OS. Some of them do support it, some of them don't, some of them only support it with IKEv2 where some issues could occur if you set IKE mode to "prefer IKEv2".
So in theory it will work if you simply offer both algorithms but in actual depmoyments there might be bugs ...
cbc will definately work with all of them and almost no matter what OS version installed
04-14-2019 02:01 AM
@Remo and @TommieVanHove
Thank you for the your responses. This is exactly the information I needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
