VPN IPSec gcm or cbc cypher types

Reply
Highlighted
L4 Transporter

VPN IPSec gcm or cbc cypher types

When configuring VPN to a 3rd party vendor and you are given the required settings for IPsec profile as sha1 or sha256 only, however on the Palo Alto firewall we have the option to use cbc or gcm, e.g. aes-256-cbc and aes-256-gcm.

In the past I used to add both to the profile, but I need to automate bulk VPN creation and it will be easier to select just one.

 

Can you please advise if we should use cbc or gcm for VPN to Cisco ASA, Juniper SRX, Juniper SSG, Checkpoint and Fortinet?

Tags (3)

Accepted Solutions
Highlighted
L2 Linker

I doubt gcm will work with all the devices on your list.

 

eg. gcm is newer. and ssg devices are EOL and very old.

new features have stopped releasing on them a while ago(and even the longest supported models are end of support beginning 2020 I believe)

but support of GCM will also be mainly dependant on software/os as well.
so it's hard to just say yes checkpoint will support gcm.
(fyi I believe checkpoint software versions currently still supported( eg. r77.30 and up) all support gcm.)

 

for ipsec vpn as I see it there are 2 scenarios:

either you also manage the remote side hardware. in which case you can upgrade the devices to support gcm yourself. or have to determine via the device documentation if gcm is supported)

or this is done by a 3rd party and then you need to ask them if their devices support gcm.

 

GCM has more performance and is more secure(if implemented correctly) however that does not mean that CBC is totally insecure.

on the flipside GCM usually requires a bit more mem/cpu to do. so if your pa or the remote hardware is already barely running with highcpu/mem all teh time. it may also be a reason to not use GCM.

 

eg.

party a might say yes: because they have an r80.20 checkpoint that is correctly sized

party b might say no: because the are running r75 checkpoint(EOS) and don't want to upgrade

party c might say yes but we don't do it: because they are running r80.20 but they have an undersized firewall running 95% mem all the time.





 

 

View solution in original post

Highlighted
Cyber Elite


@TommieVanHove wrote:

I doubt gcm will work with all the devices on your list.


@BatD as Tommie wrote it strongly depends on the installed OS. Some of them do support it, some of them don't, some of them only support it with IKEv2 where some issues could occur if you set IKE mode to "prefer IKEv2".

So in theory it will work if you simply offer both algorithms but in actual depmoyments there might be bugs ...

cbc will definately work with all of them and almost no matter what OS version installed

 

 

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @BatD 

 

For automating these tasks to whatever vendor you can imagine: use CBC to be (more) sure that it will work.

 

Edit: ... but when you already automate it, why not using both as GCM is more secure?

Highlighted
Cyber Elite

Does using GCM will cause anyoverhead on the PA?

MP
Highlighted
L4 Transporter

@vsys_remo Thank you for the response. Are you saying that either cbc and gcm will work with any of the vendors above? I am having that issue all the time when seting up a vpn to a 3rd party vendor. 

Highlighted
L2 Linker

I doubt gcm will work with all the devices on your list.

 

eg. gcm is newer. and ssg devices are EOL and very old.

new features have stopped releasing on them a while ago(and even the longest supported models are end of support beginning 2020 I believe)

but support of GCM will also be mainly dependant on software/os as well.
so it's hard to just say yes checkpoint will support gcm.
(fyi I believe checkpoint software versions currently still supported( eg. r77.30 and up) all support gcm.)

 

for ipsec vpn as I see it there are 2 scenarios:

either you also manage the remote side hardware. in which case you can upgrade the devices to support gcm yourself. or have to determine via the device documentation if gcm is supported)

or this is done by a 3rd party and then you need to ask them if their devices support gcm.

 

GCM has more performance and is more secure(if implemented correctly) however that does not mean that CBC is totally insecure.

on the flipside GCM usually requires a bit more mem/cpu to do. so if your pa or the remote hardware is already barely running with highcpu/mem all teh time. it may also be a reason to not use GCM.

 

eg.

party a might say yes: because they have an r80.20 checkpoint that is correctly sized

party b might say no: because the are running r75 checkpoint(EOS) and don't want to upgrade

party c might say yes but we don't do it: because they are running r80.20 but they have an undersized firewall running 95% mem all the time.





 

 

View solution in original post

Highlighted
Cyber Elite


@TommieVanHove wrote:

I doubt gcm will work with all the devices on your list.


@BatD as Tommie wrote it strongly depends on the installed OS. Some of them do support it, some of them don't, some of them only support it with IKEv2 where some issues could occur if you set IKE mode to "prefer IKEv2".

So in theory it will work if you simply offer both algorithms but in actual depmoyments there might be bugs ...

cbc will definately work with all of them and almost no matter what OS version installed

 

 

View solution in original post

Highlighted
L4 Transporter

@vsys_remo and @TommieVanHove 

Thank you for the your responses. This is exactly the information I needed. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!